2 * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 /* Helper functions for AES CBC CTS ciphers related to fips */
13 * Refer to SP800-38A-Addendum
15 * Ciphertext stealing encrypts plaintext using a block cipher, without padding
16 * the message to a multiple of the block size, so the ciphertext is the same
17 * size as the plaintext.
18 * It does this by altering processing of the last two blocks of the message.
19 * The processing of all but the last two blocks is unchanged, but a portion of
20 * the second-last block's ciphertext is "stolen" to pad the last plaintext
21 * block. The padded final block is then encrypted as usual.
22 * The final ciphertext for the last two blocks, consists of the partial block
23 * (with the "stolen" portion omitted) plus the full final block,
24 * which are the same size as the original plaintext.
25 * Decryption requires decrypting the final block first, then restoring the
26 * stolen ciphertext to the partial block, which can then be decrypted as usual.
28 * AES_CBC_CTS has 3 variants:
29 * (1) CS1 The NIST variant.
30 * If the length is a multiple of the blocksize it is the same as CBC mode.
31 * otherwise it produces C1||C2||(C(n-1))*||Cn.
32 * Where C(n-1)* is a partial block.
34 * If the length is a multiple of the blocksize it is the same as CBC mode.
35 * otherwise it produces C1||C2||Cn||(C(n-1))*.
36 * Where C(n-1)* is a partial block.
37 * (3) CS3 The Kerberos5 variant.
38 * Produces C1||C2||Cn||(C(n-1))* regardless of the length.
39 * If the length is a multiple of the blocksize it looks similar to CBC mode
40 * with the last 2 blocks swapped.
41 * Otherwise it is the same as CS2.
44 #include "e_os.h" /* strcasecmp */
45 #include <openssl/core_names.h>
46 #include <openssl/aes.h>
47 #include "prov/ciphercommon.h"
48 #include "internal/nelem.h"
49 #include "cipher_aes_cts.h"
51 /* The value assigned to 0 is the default */
58 unsigned char c
[AES_BLOCK_SIZE
];
61 typedef struct cts_mode_name2id_st
{
66 static CTS_MODE_NAME2ID cts_modes
[] =
68 { CTS_CS1
, OSSL_CIPHER_CTS_MODE_CS1
},
70 { CTS_CS2
, OSSL_CIPHER_CTS_MODE_CS2
},
71 { CTS_CS3
, OSSL_CIPHER_CTS_MODE_CS3
},
75 const char *ossl_aes_cbc_cts_mode_id2name(unsigned int id
)
79 for (i
= 0; i
< OSSL_NELEM(cts_modes
); ++i
) {
80 if (cts_modes
[i
].id
== id
)
81 return cts_modes
[i
].name
;
86 int ossl_aes_cbc_cts_mode_name2id(const char *name
)
90 for (i
= 0; i
< OSSL_NELEM(cts_modes
); ++i
) {
91 if (strcasecmp(name
, cts_modes
[i
].name
) == 0)
92 return (int)cts_modes
[i
].id
;
97 static size_t cts128_cs1_encrypt(PROV_CIPHER_CTX
*ctx
, const unsigned char *in
,
98 unsigned char *out
, size_t len
)
100 aligned_16bytes tmp_in
;
103 residue
= len
% AES_BLOCK_SIZE
;
105 if (!ctx
->hw
->cipher(ctx
, out
, in
, len
))
114 memset(tmp_in
.c
, 0, sizeof(tmp_in
));
115 memcpy(tmp_in
.c
, in
, residue
);
116 if (!ctx
->hw
->cipher(ctx
, out
- AES_BLOCK_SIZE
+ residue
, tmp_in
.c
,
119 return len
+ residue
;
122 static void do_xor(const unsigned char *in1
, const unsigned char *in2
,
123 size_t len
, unsigned char *out
)
127 for (i
= 0; i
< len
; ++i
)
128 out
[i
] = in1
[i
] ^ in2
[i
];
131 static size_t cts128_cs1_decrypt(PROV_CIPHER_CTX
*ctx
, const unsigned char *in
,
132 unsigned char *out
, size_t len
)
134 aligned_16bytes mid_iv
, ct_mid
, pt_last
;
137 residue
= len
% AES_BLOCK_SIZE
;
139 /* If there are no partial blocks then it is the same as CBC mode */
140 if (!ctx
->hw
->cipher(ctx
, out
, in
, len
))
144 /* Process blocks at the start - but leave the last 2 blocks */
145 len
-= AES_BLOCK_SIZE
+ residue
;
147 if (!ctx
->hw
->cipher(ctx
, out
, in
, len
))
152 /* Save the iv that will be used by the second last block */
153 memcpy(mid_iv
.c
, ctx
->iv
, AES_BLOCK_SIZE
);
155 /* Decrypt the last block first using an iv of zero */
156 memset(ctx
->iv
, 0, AES_BLOCK_SIZE
);
157 if (!ctx
->hw
->cipher(ctx
, pt_last
.c
, in
+ residue
, AES_BLOCK_SIZE
))
161 * Rebuild the ciphertext of the second last block as a combination of
162 * the decrypted last block + replace the start with the ciphertext bytes
163 * of the partial second last block.
165 memcpy(ct_mid
.c
, in
, residue
);
166 memcpy(ct_mid
.c
+ residue
, pt_last
.c
+ residue
, AES_BLOCK_SIZE
- residue
);
168 * Restore the last partial ciphertext block.
169 * Now that we have the cipher text of the second last block, apply
170 * that to the partial plaintext end block. We have already decrypted the
171 * block using an IV of zero. For decryption the IV is just XORed after
172 * doing an AES block - so just XOR in the cipher text.
174 do_xor(ct_mid
.c
, pt_last
.c
, residue
, out
+ AES_BLOCK_SIZE
);
176 /* Restore the iv needed by the second last block */
177 memcpy(ctx
->iv
, mid_iv
.c
, AES_BLOCK_SIZE
);
179 * Decrypt the second last plaintext block now that we have rebuilt the
182 if (!ctx
->hw
->cipher(ctx
, out
, ct_mid
.c
, AES_BLOCK_SIZE
))
185 return len
+ AES_BLOCK_SIZE
+ residue
;
189 static size_t cts128_cs3_encrypt(PROV_CIPHER_CTX
*ctx
, const unsigned char *in
,
190 unsigned char *out
, size_t len
)
192 aligned_16bytes tmp_in
;
195 if (len
<= AES_BLOCK_SIZE
) /* CS3 requires 2 blocks */
198 residue
= len
% AES_BLOCK_SIZE
;
200 residue
= AES_BLOCK_SIZE
;
203 if (!ctx
->hw
->cipher(ctx
, out
, in
, len
))
209 memset(tmp_in
.c
, 0, sizeof(tmp_in
));
210 memcpy(tmp_in
.c
, in
, residue
);
211 memcpy(out
, out
- AES_BLOCK_SIZE
, residue
);
212 if (!ctx
->hw
->cipher(ctx
, out
- AES_BLOCK_SIZE
, tmp_in
.c
, AES_BLOCK_SIZE
))
214 return len
+ residue
;
219 * The cipher text (in) is of the form C(0), C(1), ., C(n), C(n-1)* where
220 * C(n) is a full block and C(n-1)* can be a partial block
221 * (but could be a full block).
222 * This means that the output plaintext (out) needs to swap the plaintext of
223 * the last two decoded ciphertext blocks.
225 static size_t cts128_cs3_decrypt(PROV_CIPHER_CTX
*ctx
, const unsigned char *in
,
226 unsigned char *out
, size_t len
)
228 aligned_16bytes mid_iv
, ct_mid
, pt_last
;
231 if (len
<= AES_BLOCK_SIZE
) /* CS3 requires 2 blocks */
234 /* Process blocks at the start - but leave the last 2 blocks */
235 residue
= len
% AES_BLOCK_SIZE
;
237 residue
= AES_BLOCK_SIZE
;
238 len
-= AES_BLOCK_SIZE
+ residue
;
241 if (!ctx
->hw
->cipher(ctx
, out
, in
, len
))
246 /* Save the iv that will be used by the second last block */
247 memcpy(mid_iv
.c
, ctx
->iv
, AES_BLOCK_SIZE
);
249 /* Decrypt the Cn block first using an iv of zero */
250 memset(ctx
->iv
, 0, AES_BLOCK_SIZE
);
251 if (!ctx
->hw
->cipher(ctx
, pt_last
.c
, in
, AES_BLOCK_SIZE
))
255 * Rebuild the ciphertext of C(n-1) as a combination of
256 * the decrypted C(n) block + replace the start with the ciphertext bytes
257 * of the partial last block.
259 memcpy(ct_mid
.c
, in
+ AES_BLOCK_SIZE
, residue
);
260 if (residue
!= AES_BLOCK_SIZE
)
261 memcpy(ct_mid
.c
+ residue
, pt_last
.c
+ residue
, AES_BLOCK_SIZE
- residue
);
263 * Restore the last partial ciphertext block.
264 * Now that we have the cipher text of the second last block, apply
265 * that to the partial plaintext end block. We have already decrypted the
266 * block using an IV of zero. For decryption the IV is just XORed after
267 * doing an AES block - so just XOR in the ciphertext.
269 do_xor(ct_mid
.c
, pt_last
.c
, residue
, out
+ AES_BLOCK_SIZE
);
271 /* Restore the iv needed by the second last block */
272 memcpy(ctx
->iv
, mid_iv
.c
, AES_BLOCK_SIZE
);
274 * Decrypt the second last plaintext block now that we have rebuilt the
277 if (!ctx
->hw
->cipher(ctx
, out
, ct_mid
.c
, AES_BLOCK_SIZE
))
280 return len
+ AES_BLOCK_SIZE
+ residue
;
283 static size_t cts128_cs2_encrypt(PROV_CIPHER_CTX
*ctx
, const unsigned char *in
,
284 unsigned char *out
, size_t len
)
286 if (len
% AES_BLOCK_SIZE
== 0) {
287 /* If there are no partial blocks then it is the same as CBC mode */
288 if (!ctx
->hw
->cipher(ctx
, out
, in
, len
))
292 /* For partial blocks CS2 is equivalent to CS3 */
293 return cts128_cs3_encrypt(ctx
, in
, out
, len
);
296 static size_t cts128_cs2_decrypt(PROV_CIPHER_CTX
*ctx
, const unsigned char *in
,
297 unsigned char *out
, size_t len
)
299 if (len
% AES_BLOCK_SIZE
== 0) {
300 /* If there are no partial blocks then it is the same as CBC mode */
301 if (!ctx
->hw
->cipher(ctx
, out
, in
, len
))
305 /* For partial blocks CS2 is equivalent to CS3 */
306 return cts128_cs3_decrypt(ctx
, in
, out
, len
);
310 int ossl_aes_cbc_cts_block_update(void *vctx
, unsigned char *out
, size_t *outl
,
311 size_t outsize
, const unsigned char *in
,
314 PROV_CIPHER_CTX
*ctx
= (PROV_CIPHER_CTX
*)vctx
;
317 if (inl
< AES_BLOCK_SIZE
) /* There must be at least one block for CTS mode */
327 * Return an error if the update is called multiple times, only one shot
330 if (ctx
->updated
== 1)
335 sz
= cts128_cs1_encrypt(ctx
, in
, out
, inl
);
337 if (ctx
->cts_mode
== CTS_CS1
)
338 sz
= cts128_cs1_encrypt(ctx
, in
, out
, inl
);
339 else if (ctx
->cts_mode
== CTS_CS2
)
340 sz
= cts128_cs2_encrypt(ctx
, in
, out
, inl
);
341 else if (ctx
->cts_mode
== CTS_CS3
)
342 sz
= cts128_cs3_encrypt(ctx
, in
, out
, inl
);
346 sz
= cts128_cs1_decrypt(ctx
, in
, out
, inl
);
348 if (ctx
->cts_mode
== CTS_CS1
)
349 sz
= cts128_cs1_decrypt(ctx
, in
, out
, inl
);
350 else if (ctx
->cts_mode
== CTS_CS2
)
351 sz
= cts128_cs2_decrypt(ctx
, in
, out
, inl
);
352 else if (ctx
->cts_mode
== CTS_CS3
)
353 sz
= cts128_cs3_decrypt(ctx
, in
, out
, inl
);
358 ctx
->updated
= 1; /* Stop multiple updates being allowed */
363 int ossl_aes_cbc_cts_block_final(void *vctx
, unsigned char *out
, size_t *outl
,