1 /* ====================================================================
2 * Copyright (c) 2008 The OpenSSL Project. All rights reserved.
4 * Rights for redistribution and usage in source and binary
5 * forms are granted according to the OpenSSL license.
8 #include <openssl/crypto.h>
20 * Trouble with Ciphertext Stealing, CTS, mode is that there is no
21 * common official specification, but couple of cipher/application
22 * specific ones: RFC2040 and RFC3962. Then there is 'Proposal to
23 * Extend CBC Mode By "Ciphertext Stealing"' at NIST site, which
24 * deviates from mentioned RFCs. Most notably it allows input to be
25 * of block length and it doesn't flip the order of the last two
26 * blocks. CTS is being discussed even in ECB context, but it's not
27 * adopted for any known application. This implementation provides
28 * two interfaces: one compliant with above mentioned RFCs and one
29 * compliant with the NIST proposal, both extending CBC mode.
32 size_t CRYPTO_cts128_encrypt_block(const unsigned char *in, unsigned char *out,
33 size_t len, const void *key,
34 unsigned char ivec[16], block128_f block)
37 assert (in && out && key && ivec);
39 if (len <= 16) return 0;
41 if ((residue=len%16) == 0) residue = 16;
45 CRYPTO_cbc128_encrypt(in,out,len,key,ivec,block);
50 for (n=0; n<residue; ++n)
52 (*block)(ivec,ivec,key);
53 memcpy(out,out-16,residue);
54 memcpy(out-16,ivec,16);
59 size_t CRYPTO_nistcts128_encrypt_block(const unsigned char *in, unsigned char *out,
60 size_t len, const void *key,
61 unsigned char ivec[16], block128_f block)
64 assert (in && out && key && ivec);
66 if (len < 16) return 0;
72 CRYPTO_cbc128_encrypt(in,out,len,key,ivec,block);
74 if (residue==0) return len;
79 for (n=0; n<residue; ++n)
81 (*block)(ivec,ivec,key);
82 memcpy(out-16+residue,ivec,16);
87 size_t CRYPTO_cts128_encrypt(const unsigned char *in, unsigned char *out,
88 size_t len, const void *key,
89 unsigned char ivec[16], cbc128_f cbc)
91 union { size_t align; unsigned char c[16]; } tmp;
93 assert (in && out && key && ivec);
95 if (len <= 16) return 0;
97 if ((residue=len%16) == 0) residue = 16;
101 (*cbc)(in,out,len,key,ivec,1);
106 #if defined(CBC_HANDLES_TRUNCATED_IO)
107 memcpy(tmp.c,out-16,16);
108 (*cbc)(in,out-16,residue,key,ivec,1);
109 memcpy(out,tmp.c,residue);
111 memset(tmp.c,0,sizeof(tmp));
112 memcpy(tmp.c,in,residue);
113 memcpy(out,out-16,residue);
114 (*cbc)(tmp.c,out-16,16,key,ivec,1);
119 size_t CRYPTO_nistcts128_encrypt(const unsigned char *in, unsigned char *out,
120 size_t len, const void *key,
121 unsigned char ivec[16], cbc128_f cbc)
123 union { size_t align; unsigned char c[16]; } tmp;
125 assert (in && out && key && ivec);
127 if (len < 16) return 0;
133 (*cbc)(in,out,len,key,ivec,1);
135 if (residue==0) return len;
140 #if defined(CBC_HANDLES_TRUNCATED_IO)
141 (*cbc)(in,out-16+residue,residue,key,ivec,1);
143 memset(tmp.c,0,sizeof(tmp));
144 memcpy(tmp.c,in,residue);
145 (*cbc)(tmp.c,out-16+residue,16,key,ivec,1);
150 size_t CRYPTO_cts128_decrypt_block(const unsigned char *in, unsigned char *out,
151 size_t len, const void *key,
152 unsigned char ivec[16], block128_f block)
154 union { size_t align; unsigned char c[32]; } tmp;
156 assert (in && out && key && ivec);
158 if (len<=16) return 0;
160 if ((residue=len%16) == 0) residue = 16;
165 CRYPTO_cbc128_decrypt(in,out,len,key,ivec,block);
170 (*block)(in,tmp.c+16,key);
172 memcpy(tmp.c,tmp.c+16,16);
173 memcpy(tmp.c,in+16,residue);
174 (*block)(tmp.c,tmp.c,key);
176 for(n=0; n<16; ++n) {
177 unsigned char c = in[n];
178 out[n] = tmp.c[n] ^ ivec[n];
181 for(residue+=16; n<residue; ++n)
182 out[n] = tmp.c[n] ^ in[n];
184 return 16+len+residue;
187 size_t CRYPTO_nistcts128_decrypt_block(const unsigned char *in, unsigned char *out,
188 size_t len, const void *key,
189 unsigned char ivec[16], block128_f block)
191 union { size_t align; unsigned char c[32]; } tmp;
193 assert (in && out && key && ivec);
195 if (len<16) return 0;
200 CRYPTO_cbc128_decrypt(in,out,len,key,ivec,block);
207 CRYPTO_cbc128_decrypt(in,out,len,key,ivec,block);
212 (*block)(in+residue,tmp.c+16,key);
214 memcpy(tmp.c,tmp.c+16,16);
215 memcpy(tmp.c,in,residue);
216 (*block)(tmp.c,tmp.c,key);
218 for(n=0; n<16; ++n) {
219 unsigned char c = in[n];
220 out[n] = tmp.c[n] ^ ivec[n];
221 ivec[n] = in[n+residue];
224 for(residue+=16; n<residue; ++n)
225 out[n] = tmp.c[n] ^ tmp.c[n-16];
227 return 16+len+residue;
230 size_t CRYPTO_cts128_decrypt(const unsigned char *in, unsigned char *out,
231 size_t len, const void *key,
232 unsigned char ivec[16], cbc128_f cbc)
234 union { size_t align; unsigned char c[32]; } tmp;
236 assert (in && out && key && ivec);
238 if (len<=16) return 0;
240 if ((residue=len%16) == 0) residue = 16;
245 (*cbc)(in,out,len,key,ivec,0);
250 memset(tmp.c,0,sizeof(tmp));
251 /* this places in[16] at &tmp.c[16] and decrypted block at &tmp.c[0] */
252 (*cbc)(in,tmp.c,16,key,tmp.c+16,0);
254 memcpy(tmp.c,in+16,residue);
255 #if defined(CBC_HANDLES_TRUNCATED_IO)
256 (*cbc)(tmp.c,out,16+residue,key,ivec,0);
258 (*cbc)(tmp.c,tmp.c,32,key,ivec,0);
259 memcpy(out,tmp.c,16+residue);
261 return 16+len+residue;
264 size_t CRYPTO_nistcts128_decrypt(const unsigned char *in, unsigned char *out,
265 size_t len, const void *key,
266 unsigned char ivec[16], cbc128_f cbc)
268 union { size_t align; unsigned char c[32]; } tmp;
270 assert (in && out && key && ivec);
272 if (len<16) return 0;
277 (*cbc)(in,out,len,key,ivec,0);
284 (*cbc)(in,out,len,key,ivec,0);
289 memset(tmp.c,0,sizeof(tmp));
290 /* this places in[16] at &tmp.c[16] and decrypted block at &tmp.c[0] */
291 (*cbc)(in+residue,tmp.c,16,key,tmp.c+16,0);
293 memcpy(tmp.c,in,residue);
294 #if defined(CBC_HANDLES_TRUNCATED_IO)
295 (*cbc)(tmp.c,out,16+residue,key,ivec,0);
297 (*cbc)(tmp.c,tmp.c,32,key,ivec,0);
298 memcpy(out,tmp.c,16+residue);
300 return 16+len+residue;
303 #if defined(SELFTEST)
305 #include <openssl/aes.h>
307 /* test vectors from RFC 3962 */
308 static const unsigned char test_key[16] = "chicken teriyaki";
309 static const unsigned char test_input[64] =
310 "I would like the" " General Gau's C"
311 "hicken, please, " "and wonton soup.";
312 static const unsigned char test_iv[16] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
314 static const unsigned char vector_17[17] = {
315 0xc6,0x35,0x35,0x68,0xf2,0xbf,0x8c,0xb4,
316 0xd8,0xa5,0x80,0x36,0x2d,0xa7,0xff,0x7f,
318 static const unsigned char vector_31[31] = {
319 0xfc,0x00,0x78,0x3e,0x0e,0xfd,0xb2,0xc1,
320 0xd4,0x45,0xd4,0xc8,0xef,0xf7,0xed,0x22,
321 0x97,0x68,0x72,0x68,0xd6,0xec,0xcc,0xc0,
322 0xc0,0x7b,0x25,0xe2,0x5e,0xcf,0xe5};
323 static const unsigned char vector_32[32] = {
324 0x39,0x31,0x25,0x23,0xa7,0x86,0x62,0xd5,
325 0xbe,0x7f,0xcb,0xcc,0x98,0xeb,0xf5,0xa8,
326 0x97,0x68,0x72,0x68,0xd6,0xec,0xcc,0xc0,
327 0xc0,0x7b,0x25,0xe2,0x5e,0xcf,0xe5,0x84};
328 static const unsigned char vector_47[47] = {
329 0x97,0x68,0x72,0x68,0xd6,0xec,0xcc,0xc0,
330 0xc0,0x7b,0x25,0xe2,0x5e,0xcf,0xe5,0x84,
331 0xb3,0xff,0xfd,0x94,0x0c,0x16,0xa1,0x8c,
332 0x1b,0x55,0x49,0xd2,0xf8,0x38,0x02,0x9e,
333 0x39,0x31,0x25,0x23,0xa7,0x86,0x62,0xd5,
334 0xbe,0x7f,0xcb,0xcc,0x98,0xeb,0xf5};
335 static const unsigned char vector_48[48] = {
336 0x97,0x68,0x72,0x68,0xd6,0xec,0xcc,0xc0,
337 0xc0,0x7b,0x25,0xe2,0x5e,0xcf,0xe5,0x84,
338 0x9d,0xad,0x8b,0xbb,0x96,0xc4,0xcd,0xc0,
339 0x3b,0xc1,0x03,0xe1,0xa1,0x94,0xbb,0xd8,
340 0x39,0x31,0x25,0x23,0xa7,0x86,0x62,0xd5,
341 0xbe,0x7f,0xcb,0xcc,0x98,0xeb,0xf5,0xa8};
342 static const unsigned char vector_64[64] = {
343 0x97,0x68,0x72,0x68,0xd6,0xec,0xcc,0xc0,
344 0xc0,0x7b,0x25,0xe2,0x5e,0xcf,0xe5,0x84,
345 0x39,0x31,0x25,0x23,0xa7,0x86,0x62,0xd5,
346 0xbe,0x7f,0xcb,0xcc,0x98,0xeb,0xf5,0xa8,
347 0x48,0x07,0xef,0xe8,0x36,0xee,0x89,0xa5,
348 0x26,0x73,0x0d,0xbc,0x2f,0x7b,0xc8,0x40,
349 0x9d,0xad,0x8b,0xbb,0x96,0xc4,0xcd,0xc0,
350 0x3b,0xc1,0x03,0xe1,0xa1,0x94,0xbb,0xd8};
352 static AES_KEY encks, decks;
354 void test_vector(const unsigned char *vector,size_t len)
355 { unsigned char iv[sizeof(test_iv)];
356 unsigned char cleartext[64],ciphertext[64];
359 printf("vector_%d\n",len); fflush(stdout);
361 if ((tail=len%16) == 0) tail = 16;
364 /* test block-based encryption */
365 memcpy(iv,test_iv,sizeof(test_iv));
366 CRYPTO_cts128_encrypt_block(test_input,ciphertext,len,&encks,iv,(block128_f)AES_encrypt);
367 if (memcmp(ciphertext,vector,len))
368 fprintf(stderr,"output_%d mismatch\n",len), exit(1);
369 if (memcmp(iv,vector+len-tail,sizeof(iv)))
370 fprintf(stderr,"iv_%d mismatch\n",len), exit(1);
372 /* test block-based decryption */
373 memcpy(iv,test_iv,sizeof(test_iv));
374 CRYPTO_cts128_decrypt_block(ciphertext,cleartext,len,&decks,iv,(block128_f)AES_decrypt);
375 if (memcmp(cleartext,test_input,len))
376 fprintf(stderr,"input_%d mismatch\n",len), exit(2);
377 if (memcmp(iv,vector+len-tail,sizeof(iv)))
378 fprintf(stderr,"iv_%d mismatch\n",len), exit(2);
380 /* test streamed encryption */
381 memcpy(iv,test_iv,sizeof(test_iv));
382 CRYPTO_cts128_encrypt(test_input,ciphertext,len,&encks,iv,(cbc128_f)AES_cbc_encrypt);
383 if (memcmp(ciphertext,vector,len))
384 fprintf(stderr,"output_%d mismatch\n",len), exit(3);
385 if (memcmp(iv,vector+len-tail,sizeof(iv)))
386 fprintf(stderr,"iv_%d mismatch\n",len), exit(3);
388 /* test streamed decryption */
389 memcpy(iv,test_iv,sizeof(test_iv));
390 CRYPTO_cts128_decrypt(ciphertext,cleartext,len,&decks,iv,(cbc128_f)AES_cbc_encrypt);
391 if (memcmp(cleartext,test_input,len))
392 fprintf(stderr,"input_%d mismatch\n",len), exit(4);
393 if (memcmp(iv,vector+len-tail,sizeof(iv)))
394 fprintf(stderr,"iv_%d mismatch\n",len), exit(4);
397 void test_nistvector(const unsigned char *vector,size_t len)
398 { unsigned char iv[sizeof(test_iv)];
399 unsigned char cleartext[64],ciphertext[64],nistvector[64];
402 printf("nistvector_%d\n",len); fflush(stdout);
404 if ((tail=len%16) == 0) tail = 16;
407 memcpy(nistvector,vector,len);
408 /* flip two last blocks */
409 memcpy(nistvector+len,vector+len+16,tail);
410 memcpy(nistvector+len+tail,vector+len,16);
414 /* test block-based encryption */
415 memcpy(iv,test_iv,sizeof(test_iv));
416 CRYPTO_nistcts128_encrypt_block(test_input,ciphertext,len,&encks,iv,(block128_f)AES_encrypt);
417 if (memcmp(ciphertext,nistvector,len))
418 fprintf(stderr,"output_%d mismatch\n",len), exit(1);
419 if (memcmp(iv,nistvector+len-tail,sizeof(iv)))
420 fprintf(stderr,"iv_%d mismatch\n",len), exit(1);
422 /* test block-based decryption */
423 memcpy(iv,test_iv,sizeof(test_iv));
424 CRYPTO_nistcts128_decrypt_block(ciphertext,cleartext,len,&decks,iv,(block128_f)AES_decrypt);
425 if (memcmp(cleartext,test_input,len))
426 fprintf(stderr,"input_%d mismatch\n",len), exit(2);
427 if (memcmp(iv,nistvector+len-tail,sizeof(iv)))
428 fprintf(stderr,"iv_%d mismatch\n",len), exit(2);
430 /* test streamed encryption */
431 memcpy(iv,test_iv,sizeof(test_iv));
432 CRYPTO_nistcts128_encrypt(test_input,ciphertext,len,&encks,iv,(cbc128_f)AES_cbc_encrypt);
433 if (memcmp(ciphertext,nistvector,len))
434 fprintf(stderr,"output_%d mismatch\n",len), exit(3);
435 if (memcmp(iv,nistvector+len-tail,sizeof(iv)))
436 fprintf(stderr,"iv_%d mismatch\n",len), exit(3);
438 /* test streamed decryption */
439 memcpy(iv,test_iv,sizeof(test_iv));
440 CRYPTO_nistcts128_decrypt(ciphertext,cleartext,len,&decks,iv,(cbc128_f)AES_cbc_encrypt);
441 if (memcmp(cleartext,test_input,len))
442 fprintf(stderr,"input_%d mismatch\n",len), exit(4);
443 if (memcmp(iv,nistvector+len-tail,sizeof(iv)))
444 fprintf(stderr,"iv_%d mismatch\n",len), exit(4);
449 AES_set_encrypt_key(test_key,128,&encks);
450 AES_set_decrypt_key(test_key,128,&decks);
452 test_vector(vector_17,sizeof(vector_17));
453 test_vector(vector_31,sizeof(vector_31));
454 test_vector(vector_32,sizeof(vector_32));
455 test_vector(vector_47,sizeof(vector_47));
456 test_vector(vector_48,sizeof(vector_48));
457 test_vector(vector_64,sizeof(vector_64));
459 test_nistvector(vector_17,sizeof(vector_17));
460 test_nistvector(vector_31,sizeof(vector_31));
461 test_nistvector(vector_32,sizeof(vector_32));
462 test_nistvector(vector_47,sizeof(vector_47));
463 test_nistvector(vector_48,sizeof(vector_48));
464 test_nistvector(vector_64,sizeof(vector_64));