2 * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/crypto.h>
11 #include "modes_lcl.h"
15 * Trouble with Ciphertext Stealing, CTS, mode is that there is no
16 * common official specification, but couple of cipher/application
17 * specific ones: RFC2040 and RFC3962. Then there is 'Proposal to
18 * Extend CBC Mode By "Ciphertext Stealing"' at NIST site, which
19 * deviates from mentioned RFCs. Most notably it allows input to be
20 * of block length and it doesn't flip the order of the last two
21 * blocks. CTS is being discussed even in ECB context, but it's not
22 * adopted for any known application. This implementation provides
23 * two interfaces: one compliant with above mentioned RFCs and one
24 * compliant with the NIST proposal, both extending CBC mode.
27 size_t CRYPTO_cts128_encrypt_block(const unsigned char *in,
28 unsigned char *out, size_t len,
29 const void *key, unsigned char ivec[16],
37 if ((residue = len % 16) == 0)
42 CRYPTO_cbc128_encrypt(in, out, len, key, ivec, block);
47 for (n = 0; n < residue; ++n)
49 (*block) (ivec, ivec, key);
50 memcpy(out, out - 16, residue);
51 memcpy(out - 16, ivec, 16);
56 size_t CRYPTO_nistcts128_encrypt_block(const unsigned char *in,
57 unsigned char *out, size_t len,
59 unsigned char ivec[16],
71 CRYPTO_cbc128_encrypt(in, out, len, key, ivec, block);
79 for (n = 0; n < residue; ++n)
81 (*block) (ivec, ivec, key);
82 memcpy(out - 16 + residue, ivec, 16);
87 size_t CRYPTO_cts128_encrypt(const unsigned char *in, unsigned char *out,
88 size_t len, const void *key,
89 unsigned char ivec[16], cbc128_f cbc)
100 if ((residue = len % 16) == 0)
105 (*cbc) (in, out, len, key, ivec, 1);
110 #if defined(CBC_HANDLES_TRUNCATED_IO)
111 memcpy(tmp.c, out - 16, 16);
112 (*cbc) (in, out - 16, residue, key, ivec, 1);
113 memcpy(out, tmp.c, residue);
115 memset(tmp.c, 0, sizeof(tmp));
116 memcpy(tmp.c, in, residue);
117 memcpy(out, out - 16, residue);
118 (*cbc) (tmp.c, out - 16, 16, key, ivec, 1);
120 return len + residue;
123 size_t CRYPTO_nistcts128_encrypt(const unsigned char *in, unsigned char *out,
124 size_t len, const void *key,
125 unsigned char ivec[16], cbc128_f cbc)
140 (*cbc) (in, out, len, key, ivec, 1);
148 #if defined(CBC_HANDLES_TRUNCATED_IO)
149 (*cbc) (in, out - 16 + residue, residue, key, ivec, 1);
151 memset(tmp.c, 0, sizeof(tmp));
152 memcpy(tmp.c, in, residue);
153 (*cbc) (tmp.c, out - 16 + residue, 16, key, ivec, 1);
155 return len + residue;
158 size_t CRYPTO_cts128_decrypt_block(const unsigned char *in,
159 unsigned char *out, size_t len,
160 const void *key, unsigned char ivec[16],
172 if ((residue = len % 16) == 0)
178 CRYPTO_cbc128_decrypt(in, out, len, key, ivec, block);
183 (*block) (in, tmp.c + 16, key);
185 memcpy(tmp.c, tmp.c + 16, 16);
186 memcpy(tmp.c, in + 16, residue);
187 (*block) (tmp.c, tmp.c, key);
189 for (n = 0; n < 16; ++n) {
190 unsigned char c = in[n];
191 out[n] = tmp.c[n] ^ ivec[n];
194 for (residue += 16; n < residue; ++n)
195 out[n] = tmp.c[n] ^ in[n];
197 return 16 + len + residue;
200 size_t CRYPTO_nistcts128_decrypt_block(const unsigned char *in,
201 unsigned char *out, size_t len,
203 unsigned char ivec[16],
218 CRYPTO_cbc128_decrypt(in, out, len, key, ivec, block);
225 CRYPTO_cbc128_decrypt(in, out, len, key, ivec, block);
230 (*block) (in + residue, tmp.c + 16, key);
232 memcpy(tmp.c, tmp.c + 16, 16);
233 memcpy(tmp.c, in, residue);
234 (*block) (tmp.c, tmp.c, key);
236 for (n = 0; n < 16; ++n) {
237 unsigned char c = in[n];
238 out[n] = tmp.c[n] ^ ivec[n];
239 ivec[n] = in[n + residue];
242 for (residue += 16; n < residue; ++n)
243 out[n] = tmp.c[n] ^ tmp.c[n - 16];
245 return 16 + len + residue;
248 size_t CRYPTO_cts128_decrypt(const unsigned char *in, unsigned char *out,
249 size_t len, const void *key,
250 unsigned char ivec[16], cbc128_f cbc)
261 if ((residue = len % 16) == 0)
267 (*cbc) (in, out, len, key, ivec, 0);
272 memset(tmp.c, 0, sizeof(tmp));
274 * this places in[16] at &tmp.c[16] and decrypted block at &tmp.c[0]
276 (*cbc) (in, tmp.c, 16, key, tmp.c + 16, 0);
278 memcpy(tmp.c, in + 16, residue);
279 #if defined(CBC_HANDLES_TRUNCATED_IO)
280 (*cbc) (tmp.c, out, 16 + residue, key, ivec, 0);
282 (*cbc) (tmp.c, tmp.c, 32, key, ivec, 0);
283 memcpy(out, tmp.c, 16 + residue);
285 return 16 + len + residue;
288 size_t CRYPTO_nistcts128_decrypt(const unsigned char *in, unsigned char *out,
289 size_t len, const void *key,
290 unsigned char ivec[16], cbc128_f cbc)
304 (*cbc) (in, out, len, key, ivec, 0);
311 (*cbc) (in, out, len, key, ivec, 0);
316 memset(tmp.c, 0, sizeof(tmp));
318 * this places in[16] at &tmp.c[16] and decrypted block at &tmp.c[0]
320 (*cbc) (in + residue, tmp.c, 16, key, tmp.c + 16, 0);
322 memcpy(tmp.c, in, residue);
323 #if defined(CBC_HANDLES_TRUNCATED_IO)
324 (*cbc) (tmp.c, out, 16 + residue, key, ivec, 0);
326 (*cbc) (tmp.c, tmp.c, 32, key, ivec, 0);
327 memcpy(out, tmp.c, 16 + residue);
329 return 16 + len + residue;