cts128.c: add support for NIST "Ciphertext Stealing" proposal.
authorAndy Polyakov <appro@openssl.org>
Sat, 10 Apr 2010 14:01:02 +0000 (14:01 +0000)
committerAndy Polyakov <appro@openssl.org>
Sat, 10 Apr 2010 14:01:02 +0000 (14:01 +0000)
crypto/modes/cts128.c
crypto/modes/modes.h

index e0430f9fdcba1694b7cad769b82aa3e5e976a2f2..450ea44a9262ef20a8ad39c19e8068fc0798d19e 100644 (file)
@@ -23,8 +23,9 @@
  * deviates from mentioned RFCs. Most notably it allows input to be
  * of block length and it doesn't flip the order of the last two
  * blocks. CTS is being discussed even in ECB context, but it's not
- * adopted for any known application. This implementation complies
- * with mentioned RFCs and [as such] extends CBC mode.
+ * adopted for any known application. This implementation provides
+ * two interfaces: one compliant with above mentioned RFCs and one
+ * compliant with the NIST proposal, both extending CBC mode.
  */
 
 size_t CRYPTO_cts128_encrypt_block(const unsigned char *in, unsigned char *out,
@@ -54,6 +55,34 @@ size_t CRYPTO_cts128_encrypt_block(const unsigned char *in, unsigned char *out,
        return len+residue;
 }
 
+size_t CRYPTO_nistcts128_encrypt_block(const unsigned char *in, unsigned char *out,
+                       size_t len, const void *key,
+                       unsigned char ivec[16], block128_f block)
+{      size_t residue, n;
+
+       assert (in && out && key && ivec);
+
+       if (len < 16) return 0;
+
+       residue=len%16;
+
+       len -= residue;
+
+       CRYPTO_cbc128_encrypt(in,out,len,key,ivec,block);
+
+       if (residue==0) return len;
+
+       in  += len;
+       out += len;
+
+       for (n=0; n<residue; ++n)
+               ivec[n] ^= in[n];
+       (*block)(ivec,ivec,key);
+       memcpy(out-16+residue,ivec,16);
+
+       return len+residue;
+}
+
 size_t CRYPTO_cts128_encrypt(const unsigned char *in, unsigned char *out,
                        size_t len, const void *key,
                        unsigned char ivec[16], cbc128_f cbc)
@@ -90,6 +119,41 @@ size_t CRYPTO_cts128_encrypt(const unsigned char *in, unsigned char *out,
        return len+residue;
 }
 
+size_t CRYPTO_nistcts128_encrypt(const unsigned char *in, unsigned char *out,
+                       size_t len, const void *key,
+                       unsigned char ivec[16], cbc128_f cbc)
+{      size_t residue;
+       union { size_t align; unsigned char c[16]; } tmp;
+
+       assert (in && out && key && ivec);
+
+       if (len < 16) return 0;
+
+       residue=len%16;
+
+       len -= residue;
+
+       (*cbc)(in,out,len,key,ivec,1);
+
+       if (residue==0) return len;
+
+       in  += len;
+       out += len;
+
+#if defined(CBC_HANDLES_TRUNCATED_IO)
+       (*cbc)(in,out-16+residue,residue,key,ivec,1);
+#else
+       {
+       size_t n;
+       for (n=0; n<16; n+=sizeof(size_t))
+               *(size_t *)(tmp.c+n) = 0;
+       memcpy(tmp.c,in,residue);
+       }
+       (*cbc)(tmp.c,out-16+residue,16,key,ivec,1);
+#endif
+       return len+residue;
+}
+
 size_t CRYPTO_cts128_decrypt_block(const unsigned char *in, unsigned char *out,
                        size_t len, const void *key,
                        unsigned char ivec[16], block128_f block)
@@ -125,7 +189,51 @@ size_t CRYPTO_cts128_decrypt_block(const unsigned char *in, unsigned char *out,
        for(residue+=16; n<residue; ++n)
                out[n] = tmp.c[n] ^ in[n];
 
-       return len+residue-16;
+       return 16+len+residue;
+}
+
+size_t CRYPTO_nistcts128_decrypt_block(const unsigned char *in, unsigned char *out,
+                       size_t len, const void *key,
+                       unsigned char ivec[16], block128_f block)
+{      size_t residue, n;
+       union { size_t align; unsigned char c[32]; } tmp;
+
+       assert (in && out && key && ivec);
+
+       if (len<16) return 0;
+
+       residue=len%16;
+
+       if (residue==0) {
+               CRYPTO_cbc128_decrypt(in,out,len,key,ivec,block);
+               return len;
+       }
+
+       len -= 16+residue;
+
+       if (len) {
+               CRYPTO_cbc128_decrypt(in,out,len,key,ivec,block);
+               in  += len;
+               out += len;
+       }
+
+       (*block)(in+residue,tmp.c+16,key);
+
+       for (n=0; n<16; n+=sizeof(size_t))
+               *(size_t *)(tmp.c+n) = *(size_t *)(tmp.c+16+n);
+       memcpy(tmp.c,in,residue);
+       (*block)(tmp.c,tmp.c,key);
+
+       for(n=0; n<16; ++n) {
+               unsigned char c = in[n];
+               out[n] = tmp.c[n] ^ ivec[n];
+               ivec[n] = in[n+residue];
+               tmp.c[n] = c;
+       }
+       for(residue+=16; n<residue; ++n)
+               out[n] = tmp.c[n] ^ tmp.c[n-16];
+
+       return 16+len+residue;
 }
 
 size_t CRYPTO_cts128_decrypt(const unsigned char *in, unsigned char *out,
@@ -160,7 +268,47 @@ size_t CRYPTO_cts128_decrypt(const unsigned char *in, unsigned char *out,
        (*cbc)(tmp.c,tmp.c,32,key,ivec,0);
        memcpy(out,tmp.c,16+residue);
 #endif
-       return len+residue;
+       return 16+len+residue;
+}
+
+size_t CRYPTO_nistcts128_decrypt(const unsigned char *in, unsigned char *out,
+                       size_t len, const void *key,
+                       unsigned char ivec[16], cbc128_f cbc)
+{      size_t residue, n;
+       union { size_t align; unsigned char c[32]; } tmp;
+
+       assert (in && out && key && ivec);
+
+       if (len<16) return 0;
+
+       residue=len%16;
+
+       if (residue==0) {
+               (*cbc)(in,out,len,key,ivec,0);
+               return len;
+       }
+
+       len -= 16+residue;
+
+       if (len) {
+               (*cbc)(in,out,len,key,ivec,0);
+               in  += len;
+               out += len;
+       }
+
+       for (n=16; n<32; n+=sizeof(size_t))
+               *(size_t *)(tmp.c+n) = 0;
+       /* this places in[16] at &tmp.c[16] and decrypted block at &tmp.c[0] */
+       (*cbc)(in+residue,tmp.c,16,key,tmp.c+16,0);
+
+       memcpy(tmp.c,in,residue);
+#if defined(CBC_HANDLES_TRUNCATED_IO)
+       (*cbc)(tmp.c,out,16+residue,key,ivec,0);
+#else
+       (*cbc)(tmp.c,tmp.c,32,key,ivec,0);
+       memcpy(out,tmp.c,16+residue);
+#endif
+       return 16+len+residue;
 }
 
 #if defined(SELFTEST)
@@ -200,9 +348,8 @@ static const unsigned char vector_64[64] =
 static AES_KEY encks, decks;
 
 void test_vector(const unsigned char *vector,size_t len)
-{      unsigned char cleartext[64];
-       unsigned char iv[sizeof(test_iv)];
-       unsigned char ciphertext[64];
+{      unsigned char iv[sizeof(test_iv)];
+       unsigned char cleartext[64],ciphertext[64];
        size_t tail;
 
        printf("vector_%d\n",len); fflush(stdout);
@@ -243,7 +390,57 @@ void test_vector(const unsigned char *vector,size_t len)
                fprintf(stderr,"iv_%d mismatch\n",len), exit(4);
 }
 
-main()
+void test_nistvector(const unsigned char *vector,size_t len)
+{      unsigned char iv[sizeof(test_iv)];
+       unsigned char cleartext[64],ciphertext[64],nistvector[64];
+       size_t tail;
+
+       printf("nistvector_%d\n",len); fflush(stdout);
+
+       if ((tail=len%16) == 0) tail = 16;
+
+       len -= 16 + tail;
+       memcpy(nistvector,vector,len);
+       /* flip two last blocks */
+       memcpy(nistvector+len,vector+len+16,tail);
+       memcpy(nistvector+len+tail,vector+len,16);
+       len += 16 + tail;
+       tail = 16;
+
+       /* test block-based encryption */
+       memcpy(iv,test_iv,sizeof(test_iv));
+       CRYPTO_nistcts128_encrypt_block(test_input,ciphertext,len,&encks,iv,(block128_f)AES_encrypt);
+       if (memcmp(ciphertext,nistvector,len))
+               fprintf(stderr,"output_%d mismatch\n",len), exit(1);
+       if (memcmp(iv,nistvector+len-tail,sizeof(iv)))
+               fprintf(stderr,"iv_%d mismatch\n",len), exit(1);
+
+       /* test block-based decryption */
+       memcpy(iv,test_iv,sizeof(test_iv));
+       CRYPTO_nistcts128_decrypt_block(ciphertext,cleartext,len,&decks,iv,(block128_f)AES_decrypt);
+       if (memcmp(cleartext,test_input,len))
+               fprintf(stderr,"input_%d mismatch\n",len), exit(2);
+       if (memcmp(iv,nistvector+len-tail,sizeof(iv)))
+               fprintf(stderr,"iv_%d mismatch\n",len), exit(2);
+
+       /* test streamed encryption */
+       memcpy(iv,test_iv,sizeof(test_iv));
+       CRYPTO_nistcts128_encrypt(test_input,ciphertext,len,&encks,iv,(cbc128_f)AES_cbc_encrypt);
+       if (memcmp(ciphertext,nistvector,len))
+               fprintf(stderr,"output_%d mismatch\n",len), exit(3);
+       if (memcmp(iv,nistvector+len-tail,sizeof(iv)))
+               fprintf(stderr,"iv_%d mismatch\n",len), exit(3);
+
+       /* test streamed decryption */
+       memcpy(iv,test_iv,sizeof(test_iv));
+       CRYPTO_nistcts128_decrypt(ciphertext,cleartext,len,&decks,iv,(cbc128_f)AES_cbc_encrypt);
+       if (memcmp(cleartext,test_input,len))
+               fprintf(stderr,"input_%d mismatch\n",len), exit(4);
+       if (memcmp(iv,nistvector+len-tail,sizeof(iv)))
+               fprintf(stderr,"iv_%d mismatch\n",len), exit(4);
+}
+
+int main()
 {
        AES_set_encrypt_key(test_key,128,&encks);
        AES_set_decrypt_key(test_key,128,&decks);
@@ -254,6 +451,14 @@ main()
        test_vector(vector_47,sizeof(vector_47));
        test_vector(vector_48,sizeof(vector_48));
        test_vector(vector_64,sizeof(vector_64));
-       exit(0);
+
+       test_nistvector(vector_17,sizeof(vector_17));
+       test_nistvector(vector_31,sizeof(vector_31));
+       test_nistvector(vector_32,sizeof(vector_32));
+       test_nistvector(vector_47,sizeof(vector_47));
+       test_nistvector(vector_48,sizeof(vector_48));
+       test_nistvector(vector_64,sizeof(vector_64));
+
+       return 0;
 }
 #endif
index af8d97d795892f1bf51934c472bf7cf0cdaed558..12e1374978f1ecc4150f9011fc7a88e15b0dff0b 100644 (file)
@@ -57,3 +57,16 @@ size_t CRYPTO_cts128_decrypt_block(const unsigned char *in, unsigned char *out,
 size_t CRYPTO_cts128_decrypt(const unsigned char *in, unsigned char *out,
                        size_t len, const void *key,
                        unsigned char ivec[16], cbc128_f cbc);
+
+size_t CRYPTO_nistcts128_encrypt_block(const unsigned char *in, unsigned char *out,
+                       size_t len, const void *key,
+                       unsigned char ivec[16], block128_f block);
+size_t CRYPTO_nistcts128_encrypt(const unsigned char *in, unsigned char *out,
+                       size_t len, const void *key,
+                       unsigned char ivec[16], cbc128_f cbc);
+size_t CRYPTO_nistcts128_decrypt_block(const unsigned char *in, unsigned char *out,
+                       size_t len, const void *key,
+                       unsigned char ivec[16], block128_f block);
+size_t CRYPTO_nistcts128_decrypt(const unsigned char *in, unsigned char *out,
+                       size_t len, const void *key,
+                       unsigned char ivec[16], cbc128_f cbc);