Add modes/cts128.c, Ciphertext Stealing implementation.
authorAndy Polyakov <appro@openssl.org>
Sat, 27 Dec 2008 13:40:45 +0000 (13:40 +0000)
committerAndy Polyakov <appro@openssl.org>
Sat, 27 Dec 2008 13:40:45 +0000 (13:40 +0000)
crypto/modes/Makefile
crypto/modes/cts128.c [new file with mode: 0644]
crypto/modes/modes.h

index 94a28b612dce34566ed1e9d1c35b3744d866c33a..6c85861b6c56f4c744a563c35236109c85161f2c 100644 (file)
@@ -17,8 +17,8 @@ TEST=
 APPS=
 
 LIB=$(TOP)/libcrypto.a
-LIBSRC= cbc128.c ctr128.c cfb128.c ofb128.c
-LIBOBJ= cbc128.o ctr128.o cfb128.o ofb128.o
+LIBSRC= cbc128.c ctr128.c cts128.c cfb128.c ofb128.c
+LIBOBJ= cbc128.o ctr128.o cts128.o cfb128.o ofb128.o
 
 SRC= $(LIBSRC)
 
@@ -78,4 +78,5 @@ clean:
 cbc128.o: cbc128.c modes.h
 cfb128.o: cfb128.c modes.h
 ctr128.o: ctr128.c modes.h
+cts128.o: cts128.c modes.h
 ofb128.o: modes.h ofb128.c
diff --git a/crypto/modes/cts128.c b/crypto/modes/cts128.c
new file mode 100644 (file)
index 0000000..e0430f9
--- /dev/null
@@ -0,0 +1,259 @@
+/* ====================================================================
+ * Copyright (c) 2008 The OpenSSL Project. All rights reserved.
+ *
+ * Rights for redistribution and usage in source and binary
+ * forms are granted according to the OpenSSL license.
+ */
+
+#include "modes.h"
+#include <string.h>
+
+#ifndef MODES_DEBUG
+# ifndef NDEBUG
+#  define NDEBUG
+# endif
+#endif
+#include <assert.h>
+
+/*
+ * Trouble with Ciphertext Stealing, CTS, mode is that there is no
+ * common official specification, but couple of cipher/application
+ * specific ones: RFC2040 and RFC3962. Then there is 'Proposal to
+ * Extend CBC Mode By "Ciphertext Stealing"' at NIST site, which
+ * deviates from mentioned RFCs. Most notably it allows input to be
+ * of block length and it doesn't flip the order of the last two
+ * blocks. CTS is being discussed even in ECB context, but it's not
+ * adopted for any known application. This implementation complies
+ * with mentioned RFCs and [as such] extends CBC mode.
+ */
+
+size_t CRYPTO_cts128_encrypt_block(const unsigned char *in, unsigned char *out,
+                       size_t len, const void *key,
+                       unsigned char ivec[16], block128_f block)
+{      size_t residue, n;
+
+       assert (in && out && key && ivec);
+
+       if (len <= 16) return 0;
+
+       if ((residue=len%16) == 0) residue = 16;
+
+       len -= residue;
+
+       CRYPTO_cbc128_encrypt(in,out,len,key,ivec,block);
+
+       in  += len;
+       out += len;
+
+       for (n=0; n<residue; ++n)
+               ivec[n] ^= in[n];
+       (*block)(ivec,ivec,key);
+       memcpy(out,out-16,residue);
+       memcpy(out-16,ivec,16); 
+
+       return len+residue;
+}
+
+size_t CRYPTO_cts128_encrypt(const unsigned char *in, unsigned char *out,
+                       size_t len, const void *key,
+                       unsigned char ivec[16], cbc128_f cbc)
+{      size_t residue;
+       union { size_t align; unsigned char c[16]; } tmp;
+
+       assert (in && out && key && ivec);
+
+       if (len <= 16) return 0;
+
+       if ((residue=len%16) == 0) residue = 16;
+
+       len -= residue;
+
+       (*cbc)(in,out,len,key,ivec,1);
+
+       in  += len;
+       out += len;
+
+#if defined(CBC_HANDLES_TRUNCATED_IO)
+       memcpy(tmp.c,out-16,16);
+       (*cbc)(in,out-16,residue,key,ivec,1);
+       memcpy(out,tmp.c,residue);
+#else
+       {
+       size_t n;
+       for (n=0; n<16; n+=sizeof(size_t))
+               *(size_t *)(tmp.c+n) = 0;
+       memcpy(tmp.c,in,residue);
+       }
+       memcpy(out,out-16,residue);
+       (*cbc)(tmp.c,out-16,16,key,ivec,1);
+#endif
+       return len+residue;
+}
+
+size_t CRYPTO_cts128_decrypt_block(const unsigned char *in, unsigned char *out,
+                       size_t len, const void *key,
+                       unsigned char ivec[16], block128_f block)
+{      size_t residue, n;
+       union { size_t align; unsigned char c[32]; } tmp;
+
+       assert (in && out && key && ivec);
+
+       if (len<=16) return 0;
+
+       if ((residue=len%16) == 0) residue = 16;
+
+       len -= 16+residue;
+
+       if (len) {
+               CRYPTO_cbc128_decrypt(in,out,len,key,ivec,block);
+               in  += len;
+               out += len;
+       }
+
+       (*block)(in,tmp.c+16,key);
+
+       for (n=0; n<16; n+=sizeof(size_t))
+               *(size_t *)(tmp.c+n) = *(size_t *)(tmp.c+16+n);
+       memcpy(tmp.c,in+16,residue);
+       (*block)(tmp.c,tmp.c,key);
+
+       for(n=0; n<16; ++n) {
+               unsigned char c = in[n];
+               out[n] = tmp.c[n] ^ ivec[n];
+               ivec[n] = c;
+       }
+       for(residue+=16; n<residue; ++n)
+               out[n] = tmp.c[n] ^ in[n];
+
+       return len+residue-16;
+}
+
+size_t CRYPTO_cts128_decrypt(const unsigned char *in, unsigned char *out,
+                       size_t len, const void *key,
+                       unsigned char ivec[16], cbc128_f cbc)
+{      size_t residue, n;
+       union { size_t align; unsigned char c[32]; } tmp;
+
+       assert (in && out && key && ivec);
+
+       if (len<=16) return 0;
+
+       if ((residue=len%16) == 0) residue = 16;
+
+       len -= 16+residue;
+
+       if (len) {
+               (*cbc)(in,out,len,key,ivec,0);
+               in  += len;
+               out += len;
+       }
+
+       for (n=16; n<32; n+=sizeof(size_t))
+               *(size_t *)(tmp.c+n) = 0;
+       /* this places in[16] at &tmp.c[16] and decrypted block at &tmp.c[0] */
+       (*cbc)(in,tmp.c,16,key,tmp.c+16,0);
+
+       memcpy(tmp.c,in+16,residue);
+#if defined(CBC_HANDLES_TRUNCATED_IO)
+       (*cbc)(tmp.c,out,16+residue,key,ivec,0);
+#else
+       (*cbc)(tmp.c,tmp.c,32,key,ivec,0);
+       memcpy(out,tmp.c,16+residue);
+#endif
+       return len+residue;
+}
+
+#if defined(SELFTEST)
+#include <stdio.h>
+#include <openssl/aes.h>
+
+/* test vectors from RFC 3962 */
+static const unsigned char test_key[16] = "chicken teriyaki";
+static const unsigned char test_input[64] =
+               "I would like the" " General Gau's C"
+               "hicken, please, " "and wonton soup.";
+static const unsigned char test_iv[16] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
+
+static const unsigned char vector_17[17] =
+{0xc6,0x35,0x35,0x68,0xf2,0xbf,0x8c,0xb4, 0xd8,0xa5,0x80,0x36,0x2d,0xa7,0xff,0x7f,
+ 0x97};
+static const unsigned char vector_31[31] =
+{0xfc,0x00,0x78,0x3e,0x0e,0xfd,0xb2,0xc1, 0xd4,0x45,0xd4,0xc8,0xef,0xf7,0xed,0x22,
+ 0x97,0x68,0x72,0x68,0xd6,0xec,0xcc,0xc0, 0xc0,0x7b,0x25,0xe2,0x5e,0xcf,0xe5};
+static const unsigned char vector_32[32] =
+{0x39,0x31,0x25,0x23,0xa7,0x86,0x62,0xd5, 0xbe,0x7f,0xcb,0xcc,0x98,0xeb,0xf5,0xa8,
+ 0x97,0x68,0x72,0x68,0xd6,0xec,0xcc,0xc0, 0xc0,0x7b,0x25,0xe2,0x5e,0xcf,0xe5,0x84};
+static const unsigned char vector_47[47] =
+{0x97,0x68,0x72,0x68,0xd6,0xec,0xcc,0xc0, 0xc0,0x7b,0x25,0xe2,0x5e,0xcf,0xe5,0x84,
+ 0xb3,0xff,0xfd,0x94,0x0c,0x16,0xa1,0x8c, 0x1b,0x55,0x49,0xd2,0xf8,0x38,0x02,0x9e,
+ 0x39,0x31,0x25,0x23,0xa7,0x86,0x62,0xd5, 0xbe,0x7f,0xcb,0xcc,0x98,0xeb,0xf5};
+static const unsigned char vector_48[48] =
+{0x97,0x68,0x72,0x68,0xd6,0xec,0xcc,0xc0, 0xc0,0x7b,0x25,0xe2,0x5e,0xcf,0xe5,0x84,
+ 0x9d,0xad,0x8b,0xbb,0x96,0xc4,0xcd,0xc0, 0x3b,0xc1,0x03,0xe1,0xa1,0x94,0xbb,0xd8,
+ 0x39,0x31,0x25,0x23,0xa7,0x86,0x62,0xd5, 0xbe,0x7f,0xcb,0xcc,0x98,0xeb,0xf5,0xa8};
+static const unsigned char vector_64[64] =
+{0x97,0x68,0x72,0x68,0xd6,0xec,0xcc,0xc0, 0xc0,0x7b,0x25,0xe2,0x5e,0xcf,0xe5,0x84,
+ 0x39,0x31,0x25,0x23,0xa7,0x86,0x62,0xd5, 0xbe,0x7f,0xcb,0xcc,0x98,0xeb,0xf5,0xa8,
+ 0x48,0x07,0xef,0xe8,0x36,0xee,0x89,0xa5, 0x26,0x73,0x0d,0xbc,0x2f,0x7b,0xc8,0x40,
+ 0x9d,0xad,0x8b,0xbb,0x96,0xc4,0xcd,0xc0, 0x3b,0xc1,0x03,0xe1,0xa1,0x94,0xbb,0xd8};
+
+static AES_KEY encks, decks;
+
+void test_vector(const unsigned char *vector,size_t len)
+{      unsigned char cleartext[64];
+       unsigned char iv[sizeof(test_iv)];
+       unsigned char ciphertext[64];
+       size_t tail;
+
+       printf("vector_%d\n",len); fflush(stdout);
+
+       if ((tail=len%16) == 0) tail = 16;
+       tail += 16;
+
+       /* test block-based encryption */
+       memcpy(iv,test_iv,sizeof(test_iv));
+       CRYPTO_cts128_encrypt_block(test_input,ciphertext,len,&encks,iv,(block128_f)AES_encrypt);
+       if (memcmp(ciphertext,vector,len))
+               fprintf(stderr,"output_%d mismatch\n",len), exit(1);
+       if (memcmp(iv,vector+len-tail,sizeof(iv)))
+               fprintf(stderr,"iv_%d mismatch\n",len), exit(1);
+
+       /* test block-based decryption */
+       memcpy(iv,test_iv,sizeof(test_iv));
+       CRYPTO_cts128_decrypt_block(ciphertext,cleartext,len,&decks,iv,(block128_f)AES_decrypt);
+       if (memcmp(cleartext,test_input,len))
+               fprintf(stderr,"input_%d mismatch\n",len), exit(2);
+       if (memcmp(iv,vector+len-tail,sizeof(iv)))
+               fprintf(stderr,"iv_%d mismatch\n",len), exit(2);
+
+       /* test streamed encryption */
+       memcpy(iv,test_iv,sizeof(test_iv));
+       CRYPTO_cts128_encrypt(test_input,ciphertext,len,&encks,iv,(cbc128_f)AES_cbc_encrypt);
+       if (memcmp(ciphertext,vector,len))
+               fprintf(stderr,"output_%d mismatch\n",len), exit(3);
+       if (memcmp(iv,vector+len-tail,sizeof(iv)))
+               fprintf(stderr,"iv_%d mismatch\n",len), exit(3);
+
+       /* test streamed decryption */
+       memcpy(iv,test_iv,sizeof(test_iv));
+       CRYPTO_cts128_decrypt(ciphertext,cleartext,len,&decks,iv,(cbc128_f)AES_cbc_encrypt);
+       if (memcmp(cleartext,test_input,len))
+               fprintf(stderr,"input_%d mismatch\n",len), exit(4);
+       if (memcmp(iv,vector+len-tail,sizeof(iv)))
+               fprintf(stderr,"iv_%d mismatch\n",len), exit(4);
+}
+
+main()
+{
+       AES_set_encrypt_key(test_key,128,&encks);
+       AES_set_decrypt_key(test_key,128,&decks);
+
+       test_vector(vector_17,sizeof(vector_17));
+       test_vector(vector_31,sizeof(vector_31));
+       test_vector(vector_32,sizeof(vector_32));
+       test_vector(vector_47,sizeof(vector_47));
+       test_vector(vector_48,sizeof(vector_48));
+       test_vector(vector_64,sizeof(vector_64));
+       exit(0);
+}
+#endif
index 6315a60fc4d42edf95f673747546c6a5946e6cb0..af8d97d795892f1bf51934c472bf7cf0cdaed558 100644 (file)
@@ -11,6 +11,10 @@ typedef void (*block128_f)(const unsigned char in[16],
                        unsigned char out[16],
                        const void *key);
 
+typedef void (*cbc128_f)(const unsigned char *in, unsigned char *out,
+                       size_t len, const void *key,
+                       unsigned char ivec[16], int enc);
+
 void CRYPTO_cbc128_encrypt(const unsigned char *in, unsigned char *out,
                        size_t len, const void *key,
                        unsigned char ivec[16], block128_f block);
@@ -40,3 +44,16 @@ void CRYPTO_cfb128_1_encrypt(const unsigned char *in, unsigned char *out,
                        size_t bits, const void *key,
                        unsigned char ivec[16], int *num,
                        int enc, block128_f block);
+
+size_t CRYPTO_cts128_encrypt_block(const unsigned char *in, unsigned char *out,
+                       size_t len, const void *key,
+                       unsigned char ivec[16], block128_f block);
+size_t CRYPTO_cts128_encrypt(const unsigned char *in, unsigned char *out,
+                       size_t len, const void *key,
+                       unsigned char ivec[16], cbc128_f cbc);
+size_t CRYPTO_cts128_decrypt_block(const unsigned char *in, unsigned char *out,
+                       size_t len, const void *key,
+                       unsigned char ivec[16], block128_f block);
+size_t CRYPTO_cts128_decrypt(const unsigned char *in, unsigned char *out,
+                       size_t len, const void *key,
+                       unsigned char ivec[16], cbc128_f cbc);