]> git.ipfire.org Git - thirdparty/openssl.git/blob - providers/implementations/ciphers/cipher_aes_cts_fips.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Fix Segfault in EVP_PKEY_CTX_dup when the ctx has an undefined operation.
[thirdparty/openssl.git] / providers / implementations / ciphers / cipher_aes_cts_fips.c
1 /*
2 * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /* Helper functions for AES CBC CTS ciphers related to fips */
11
12 /*
13 * Refer to SP800-38A-Addendum
14 *
15 * Ciphertext stealing encrypts plaintext using a block cipher, without padding
16 * the message to a multiple of the block size, so the ciphertext is the same
17 * size as the plaintext.
18 * It does this by altering processing of the last two blocks of the message.
19 * The processing of all but the last two blocks is unchanged, but a portion of
20 * the second-last block's ciphertext is "stolen" to pad the last plaintext
21 * block. The padded final block is then encrypted as usual.
22 * The final ciphertext for the last two blocks, consists of the partial block
23 * (with the "stolen" portion omitted) plus the full final block,
24 * which are the same size as the original plaintext.
25 * Decryption requires decrypting the final block first, then restoring the
26 * stolen ciphertext to the partial block, which can then be decrypted as usual.
27
28 * AES_CBC_CTS has 3 variants:
29 * (1) CS1 The NIST variant.
30 * If the length is a multiple of the blocksize it is the same as CBC mode.
31 * otherwise it produces C1||C2||(C(n-1))*||Cn.
32 * Where C(n-1)* is a partial block.
33 * (2) CS2
34 * If the length is a multiple of the blocksize it is the same as CBC mode.
35 * otherwise it produces C1||C2||Cn||(C(n-1))*.
36 * Where C(n-1)* is a partial block.
37 * (3) CS3 The Kerberos5 variant.
38 * Produces C1||C2||Cn||(C(n-1))* regardless of the length.
39 * If the length is a multiple of the blocksize it looks similar to CBC mode
40 * with the last 2 blocks swapped.
41 * Otherwise it is the same as CS2.
42 */
43
44 #include "e_os.h" /* strcasecmp */
45 #include <openssl/core_names.h>
46 #include <openssl/aes.h>
47 #include "prov/ciphercommon.h"
48 #include "internal/nelem.h"
49 #include "cipher_aes_cts.h"
50
51 /* The value assigned to 0 is the default */
52 #define CTS_CS1 0
53 #define CTS_CS2 1
54 #define CTS_CS3 2
55
56 typedef union {
57 size_t align;
58 unsigned char c[AES_BLOCK_SIZE];
59 } aligned_16bytes;
60
61 typedef struct cts_mode_name2id_st {
62 unsigned int id;
63 const char *name;
64 } CTS_MODE_NAME2ID;
65
66 static CTS_MODE_NAME2ID cts_modes[] =
67 {
68 { CTS_CS1, OSSL_CIPHER_CTS_MODE_CS1 },
69 #ifndef FIPS_MODULE
70 { CTS_CS2, OSSL_CIPHER_CTS_MODE_CS2 },
71 { CTS_CS3, OSSL_CIPHER_CTS_MODE_CS3 },
72 #endif
73 };
74
75 const char *ossl_aes_cbc_cts_mode_id2name(unsigned int id)
76 {
77 size_t i;
78
79 for (i = 0; i < OSSL_NELEM(cts_modes); ++i) {
80 if (cts_modes[i].id == id)
81 return cts_modes[i].name;
82 }
83 return NULL;
84 }
85
86 int ossl_aes_cbc_cts_mode_name2id(const char *name)
87 {
88 size_t i;
89
90 for (i = 0; i < OSSL_NELEM(cts_modes); ++i) {
91 if (strcasecmp(name, cts_modes[i].name) == 0)
92 return (int)cts_modes[i].id;
93 }
94 return -1;
95 }
96
97 static size_t cts128_cs1_encrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
98 unsigned char *out, size_t len)
99 {
100 aligned_16bytes tmp_in;
101 size_t residue;
102
103 residue = len % AES_BLOCK_SIZE;
104 len -= residue;
105 if (!ctx->hw->cipher(ctx, out, in, len))
106 return 0;
107
108 if (residue == 0)
109 return len;
110
111 in += len;
112 out += len;
113
114 memset(tmp_in.c, 0, sizeof(tmp_in));
115 memcpy(tmp_in.c, in, residue);
116 if (!ctx->hw->cipher(ctx, out - AES_BLOCK_SIZE + residue, tmp_in.c,
117 AES_BLOCK_SIZE))
118 return 0;
119 return len + residue;
120 }
121
122 static void do_xor(const unsigned char *in1, const unsigned char *in2,
123 size_t len, unsigned char *out)
124 {
125 size_t i;
126
127 for (i = 0; i < len; ++i)
128 out[i] = in1[i] ^ in2[i];
129 }
130
131 static size_t cts128_cs1_decrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
132 unsigned char *out, size_t len)
133 {
134 aligned_16bytes mid_iv, ct_mid, pt_last;
135 size_t residue;
136
137 residue = len % AES_BLOCK_SIZE;
138 if (residue == 0) {
139 /* If there are no partial blocks then it is the same as CBC mode */
140 if (!ctx->hw->cipher(ctx, out, in, len))
141 return 0;
142 return len;
143 }
144 /* Process blocks at the start - but leave the last 2 blocks */
145 len -= AES_BLOCK_SIZE + residue;
146 if (len > 0) {
147 if (!ctx->hw->cipher(ctx, out, in, len))
148 return 0;
149 in += len;
150 out += len;
151 }
152 /* Save the iv that will be used by the second last block */
153 memcpy(mid_iv.c, ctx->iv, AES_BLOCK_SIZE);
154
155 /* Decrypt the last block first using an iv of zero */
156 memset(ctx->iv, 0, AES_BLOCK_SIZE);
157 if (!ctx->hw->cipher(ctx, pt_last.c, in + residue, AES_BLOCK_SIZE))
158 return 0;
159
160 /*
161 * Rebuild the ciphertext of the second last block as a combination of
162 * the decrypted last block + replace the start with the ciphertext bytes
163 * of the partial second last block.
164 */
165 memcpy(ct_mid.c, in, residue);
166 memcpy(ct_mid.c + residue, pt_last.c + residue, AES_BLOCK_SIZE - residue);
167 /*
168 * Restore the last partial ciphertext block.
169 * Now that we have the cipher text of the second last block, apply
170 * that to the partial plaintext end block. We have already decrypted the
171 * block using an IV of zero. For decryption the IV is just XORed after
172 * doing an AES block - so just XOR in the cipher text.
173 */
174 do_xor(ct_mid.c, pt_last.c, residue, out + AES_BLOCK_SIZE);
175
176 /* Restore the iv needed by the second last block */
177 memcpy(ctx->iv, mid_iv.c, AES_BLOCK_SIZE);
178 /*
179 * Decrypt the second last plaintext block now that we have rebuilt the
180 * ciphertext.
181 */
182 if (!ctx->hw->cipher(ctx, out, ct_mid.c, AES_BLOCK_SIZE))
183 return 0;
184
185 return len + AES_BLOCK_SIZE + residue;
186 }
187
188 #ifndef FIPS_MODULE
189 static size_t cts128_cs3_encrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
190 unsigned char *out, size_t len)
191 {
192 aligned_16bytes tmp_in;
193 size_t residue;
194
195 if (len <= AES_BLOCK_SIZE) /* CS3 requires 2 blocks */
196 return 0;
197
198 residue = len % AES_BLOCK_SIZE;
199 if (residue == 0)
200 residue = AES_BLOCK_SIZE;
201 len -= residue;
202
203 if (!ctx->hw->cipher(ctx, out, in, len))
204 return 0;
205
206 in += len;
207 out += len;
208
209 memset(tmp_in.c, 0, sizeof(tmp_in));
210 memcpy(tmp_in.c, in, residue);
211 memcpy(out, out - AES_BLOCK_SIZE, residue);
212 if (!ctx->hw->cipher(ctx, out - AES_BLOCK_SIZE, tmp_in.c, AES_BLOCK_SIZE))
213 return 0;
214 return len + residue;
215 }
216
217 /*
218 * Note:
219 * The cipher text (in) is of the form C(0), C(1), ., C(n), C(n-1)* where
220 * C(n) is a full block and C(n-1)* can be a partial block
221 * (but could be a full block).
222 * This means that the output plaintext (out) needs to swap the plaintext of
223 * the last two decoded ciphertext blocks.
224 */
225 static size_t cts128_cs3_decrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
226 unsigned char *out, size_t len)
227 {
228 aligned_16bytes mid_iv, ct_mid, pt_last;
229 size_t residue;
230
231 if (len <= AES_BLOCK_SIZE) /* CS3 requires 2 blocks */
232 return 0;
233
234 /* Process blocks at the start - but leave the last 2 blocks */
235 residue = len % AES_BLOCK_SIZE;
236 if (residue == 0)
237 residue = AES_BLOCK_SIZE;
238 len -= AES_BLOCK_SIZE + residue;
239
240 if (len > 0) {
241 if (!ctx->hw->cipher(ctx, out, in, len))
242 return 0;
243 in += len;
244 out += len;
245 }
246 /* Save the iv that will be used by the second last block */
247 memcpy(mid_iv.c, ctx->iv, AES_BLOCK_SIZE);
248
249 /* Decrypt the Cn block first using an iv of zero */
250 memset(ctx->iv, 0, AES_BLOCK_SIZE);
251 if (!ctx->hw->cipher(ctx, pt_last.c, in, AES_BLOCK_SIZE))
252 return 0;
253
254 /*
255 * Rebuild the ciphertext of C(n-1) as a combination of
256 * the decrypted C(n) block + replace the start with the ciphertext bytes
257 * of the partial last block.
258 */
259 memcpy(ct_mid.c, in + AES_BLOCK_SIZE, residue);
260 if (residue != AES_BLOCK_SIZE)
261 memcpy(ct_mid.c + residue, pt_last.c + residue, AES_BLOCK_SIZE - residue);
262 /*
263 * Restore the last partial ciphertext block.
264 * Now that we have the cipher text of the second last block, apply
265 * that to the partial plaintext end block. We have already decrypted the
266 * block using an IV of zero. For decryption the IV is just XORed after
267 * doing an AES block - so just XOR in the ciphertext.
268 */
269 do_xor(ct_mid.c, pt_last.c, residue, out + AES_BLOCK_SIZE);
270
271 /* Restore the iv needed by the second last block */
272 memcpy(ctx->iv, mid_iv.c, AES_BLOCK_SIZE);
273 /*
274 * Decrypt the second last plaintext block now that we have rebuilt the
275 * ciphertext.
276 */
277 if (!ctx->hw->cipher(ctx, out, ct_mid.c, AES_BLOCK_SIZE))
278 return 0;
279
280 return len + AES_BLOCK_SIZE + residue;
281 }
282
283 static size_t cts128_cs2_encrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
284 unsigned char *out, size_t len)
285 {
286 if (len % AES_BLOCK_SIZE == 0) {
287 /* If there are no partial blocks then it is the same as CBC mode */
288 if (!ctx->hw->cipher(ctx, out, in, len))
289 return 0;
290 return len;
291 }
292 /* For partial blocks CS2 is equivalent to CS3 */
293 return cts128_cs3_encrypt(ctx, in, out, len);
294 }
295
296 static size_t cts128_cs2_decrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
297 unsigned char *out, size_t len)
298 {
299 if (len % AES_BLOCK_SIZE == 0) {
300 /* If there are no partial blocks then it is the same as CBC mode */
301 if (!ctx->hw->cipher(ctx, out, in, len))
302 return 0;
303 return len;
304 }
305 /* For partial blocks CS2 is equivalent to CS3 */
306 return cts128_cs3_decrypt(ctx, in, out, len);
307 }
308 #endif
309
310 int ossl_aes_cbc_cts_block_update(void *vctx, unsigned char *out, size_t *outl,
311 size_t outsize, const unsigned char *in,
312 size_t inl)
313 {
314 PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
315 size_t sz = 0;
316
317 if (inl < AES_BLOCK_SIZE) /* There must be at least one block for CTS mode */
318 return 0;
319 if (outsize < inl)
320 return 0;
321 if (out == NULL) {
322 *outl = inl;
323 return 1;
324 }
325
326 /*
327 * Return an error if the update is called multiple times, only one shot
328 * is supported.
329 */
330 if (ctx->updated == 1)
331 return 0;
332
333 if (ctx->enc) {
334 #ifdef FIPS_MODULE
335 sz = cts128_cs1_encrypt(ctx, in, out, inl);
336 #else
337 if (ctx->cts_mode == CTS_CS1)
338 sz = cts128_cs1_encrypt(ctx, in, out, inl);
339 else if (ctx->cts_mode == CTS_CS2)
340 sz = cts128_cs2_encrypt(ctx, in, out, inl);
341 else if (ctx->cts_mode == CTS_CS3)
342 sz = cts128_cs3_encrypt(ctx, in, out, inl);
343 #endif
344 } else {
345 #ifdef FIPS_MODULE
346 sz = cts128_cs1_decrypt(ctx, in, out, inl);
347 #else
348 if (ctx->cts_mode == CTS_CS1)
349 sz = cts128_cs1_decrypt(ctx, in, out, inl);
350 else if (ctx->cts_mode == CTS_CS2)
351 sz = cts128_cs2_decrypt(ctx, in, out, inl);
352 else if (ctx->cts_mode == CTS_CS3)
353 sz = cts128_cs3_decrypt(ctx, in, out, inl);
354 #endif
355 }
356 if (sz == 0)
357 return 0;
358 ctx->updated = 1; /* Stop multiple updates being allowed */
359 *outl = sz;
360 return 1;
361 }
362
363 int ossl_aes_cbc_cts_block_final(void *vctx, unsigned char *out, size_t *outl,
364 size_t outsize)
365 {
366 *outl = 0;
367 return 1;
368 }
A mirror of the official openssl repository