From: Shane Lontis Date: Thu, 12 Aug 2021 08:22:50 +0000 (+1000) Subject: Add support for camellia cbc cts mode X-Git-Tag: openssl-3.0.0~111 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7f5a9399d27564a7136eed2df693755a3bec2cfc;p=thirdparty%2Fopenssl.git Add support for camellia cbc cts mode Fixes #16276 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16286) --- diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod index a03c31ea35b..cb366296848 100644 --- a/doc/man3/EVP_EncryptInit.pod +++ b/doc/man3/EVP_EncryptInit.pod @@ -738,7 +738,8 @@ that has the flag B set. =item "cts_mode" (B) Gets or sets the cipher text stealing mode. For all modes the output size is the -same as the input size. +same as the input size. The input length must be greater than or equal to the +block size. (The block size for AES and CAMELLIA is 16 bytes). Valid values for the mode are: @@ -747,25 +748,28 @@ Valid values for the mode are: =item "CS1" The NIST variant of cipher text stealing. -For message lengths that are multiples of the block size it is equivalent to -using a "AES-CBC" cipher otherwise the second last cipher text block is a -partial block. +For input lengths that are multiples of the block size it is equivalent to +using a "AES-XXX-CBC" or "CAMELLIA-XXX-CBC" cipher otherwise the second last +cipher text block is a partial block. =item "CS2" -For message lengths that are multiples of the block size it is equivalent to -using a "AES-CBC" cipher, otherwise it is the same as "CS3". +For input lengths that are multiples of the block size it is equivalent to +using a "AES-XXX-CBC" or "CAMELLIA-XXX-CBC" cipher, otherwise it is the same as +"CS3" mode. =item "CS3" The Kerberos5 variant of cipher text stealing which always swaps the last cipher text block with the previous block (which may be a partial or full block -depending on the input length). +depending on the input length). If the input length is exactly one full block +then this is equivalent to using a "AES-XXX-CBC" or "CAMELLIA-XXX-CBC" cipher. =back The default is "CS1". -This is only supported for "AES-128-CBC-CTS", "AES-192-CBC-CTS" and "AES-256-CBC-CTS". +This is only supported for "AES-128-CBC-CTS", "AES-192-CBC-CTS", "AES-256-CBC-CTS", +"CAMELLIA-128-CBC-CTS", "CAMELLIA-192-CBC-CTS" and "CAMELLIA-256-CBC-CTS". =item "tls1multi_interleave" (B) diff --git a/doc/man7/EVP_CIPHER-CAMELLIA.pod b/doc/man7/EVP_CIPHER-CAMELLIA.pod index 7b129c64071..bba8001d00c 100644 --- a/doc/man7/EVP_CIPHER-CAMELLIA.pod +++ b/doc/man7/EVP_CIPHER-CAMELLIA.pod @@ -16,6 +16,8 @@ The following algorithms are available in the default provider: =item "CAMELLIA-128-CBC", "CAMELLIA-192-CBC" and "CAMELLIA-256-CBC" +=item "CAMELLIA-128-CBC-CTS", "CAMELLIA-192-CBC-CTS" and "CAMELLIA-256-CBC-CTS" + =item "CAMELLIA-128-CFB", "CAMELLIA-192-CFB", "CAMELLIA-256-CFB", "CAMELLIA-128-CFB1", "CAMELLIA-192-CFB1", "CAMELLIA-256-CFB1", "CAMELLIA-128-CFB8", "CAMELLIA-192-CFB8" and "CAMELLIA-256-CFB8" diff --git a/doc/man7/migration_guide.pod b/doc/man7/migration_guide.pod index 8cc017dfa67..7e0bbf465df 100644 --- a/doc/man7/migration_guide.pod +++ b/doc/man7/migration_guide.pod @@ -219,9 +219,10 @@ unwrapping. The algorithms are: "AES-128-WRAP-INV", "AES-192-WRAP-INV", =item * -AES CTS cipher added to EVP layer. +CTS ciphers added to EVP layer. -The algorithms are "AES-128-CBC-CTS", "AES-192-CBC-CTS" and "AES-256-CBC-CTS". +The algorithms are "AES-128-CBC-CTS", "AES-192-CBC-CTS", "AES-256-CBC-CTS", +"CAMELLIA-128-CBC-CTS", "CAMELLIA-192-CBC-CTS" and "CAMELLIA-256-CBC-CTS". CS1, CS2 and CS3 variants are supported. =back @@ -1220,6 +1221,19 @@ tools, such as compiler memory and leak sanitizers or Valgrind. =item * +CRYPTO_cts128_encrypt_block(), CRYPTO_cts128_encrypt(), +CRYPTO_cts128_decrypt_block(), CRYPTO_cts128_decrypt(), +CRYPTO_nistcts128_encrypt_block(), CRYPTO_nistcts128_encrypt(), +CRYPTO_nistcts128_decrypt_block(), CRYPTO_nistcts128_decrypt() + +Use the higher level functions EVP_CipherInit_ex2(), EVP_CipherUpdate() and +EVP_CipherFinal_ex() instead. +See the "cts_mode" parameter in +L. +See L for a AES-256-CBC-CTS example. + +=item * + d2i_DHparams(), d2i_DHxparams(), d2i_DSAparams(), d2i_DSAPrivateKey(), d2i_DSAPrivateKey_bio(), d2i_DSAPrivateKey_fp(), d2i_DSA_PUBKEY(), d2i_DSA_PUBKEY_bio(), d2i_DSA_PUBKEY_fp(), d2i_DSAPublicKey(), diff --git a/providers/defltprov.c b/providers/defltprov.c index 498c4eaa2a2..62258da7235 100644 --- a/providers/defltprov.c +++ b/providers/defltprov.c @@ -251,6 +251,9 @@ static const OSSL_ALGORITHM_CAPABLE deflt_ciphers[] = { ALG(PROV_NAMES_CAMELLIA_256_CBC, ossl_camellia256cbc_functions), ALG(PROV_NAMES_CAMELLIA_192_CBC, ossl_camellia192cbc_functions), ALG(PROV_NAMES_CAMELLIA_128_CBC, ossl_camellia128cbc_functions), + ALG(PROV_NAMES_CAMELLIA_128_CBC_CTS, ossl_camellia128cbc_cts_functions), + ALG(PROV_NAMES_CAMELLIA_192_CBC_CTS, ossl_camellia192cbc_cts_functions), + ALG(PROV_NAMES_CAMELLIA_256_CBC_CTS, ossl_camellia256cbc_cts_functions), ALG(PROV_NAMES_CAMELLIA_256_OFB, ossl_camellia256ofb_functions), ALG(PROV_NAMES_CAMELLIA_192_OFB, ossl_camellia192ofb_functions), ALG(PROV_NAMES_CAMELLIA_128_OFB, ossl_camellia128ofb_functions), diff --git a/providers/implementations/ciphers/cipher_camellia.c b/providers/implementations/ciphers/cipher_camellia.c index 02bef547fd1..5f0607a1997 100644 --- a/providers/implementations/ciphers/cipher_camellia.c +++ b/providers/implementations/ciphers/cipher_camellia.c @@ -91,3 +91,4 @@ IMPLEMENT_generic_cipher(camellia, CAMELLIA, ctr, CTR, 0, 192, 8, 128, stream) /* ossl_camellia128ctr_functions */ IMPLEMENT_generic_cipher(camellia, CAMELLIA, ctr, CTR, 0, 128, 8, 128, stream) +#include "cipher_camellia_cts.inc" diff --git a/providers/implementations/ciphers/cipher_camellia_cts.inc b/providers/implementations/ciphers/cipher_camellia_cts.inc new file mode 100644 index 00000000000..84ea992b8da --- /dev/null +++ b/providers/implementations/ciphers/cipher_camellia_cts.inc @@ -0,0 +1,94 @@ +/* + * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* Dispatch functions for CAMELLIA CBC CTS ciphers */ + +#include +#include "cipher_cts.h" + +#define CTS_FLAGS PROV_CIPHER_FLAG_CTS + +static OSSL_FUNC_cipher_encrypt_init_fn camellia_cbc_cts_einit; +static OSSL_FUNC_cipher_decrypt_init_fn camellia_cbc_cts_dinit; +static OSSL_FUNC_cipher_get_ctx_params_fn camellia_cbc_cts_get_ctx_params; +static OSSL_FUNC_cipher_set_ctx_params_fn camellia_cbc_cts_set_ctx_params; +static OSSL_FUNC_cipher_gettable_ctx_params_fn camellia_cbc_cts_gettable_ctx_params; +static OSSL_FUNC_cipher_settable_ctx_params_fn camellia_cbc_cts_settable_ctx_params; + +CIPHER_DEFAULT_GETTABLE_CTX_PARAMS_START(camellia_cbc_cts) +OSSL_PARAM_utf8_string(OSSL_CIPHER_PARAM_CTS_MODE, NULL, 0), +CIPHER_DEFAULT_GETTABLE_CTX_PARAMS_END(camellia_cbc_cts) + +static int camellia_cbc_cts_einit(void *ctx, const unsigned char *key, size_t keylen, + const unsigned char *iv, size_t ivlen, + const OSSL_PARAM params[]) +{ + if (!ossl_cipher_generic_einit(ctx, key, keylen, iv, ivlen, NULL)) + return 0; + return camellia_cbc_cts_set_ctx_params(ctx, params); +} + +static int camellia_cbc_cts_dinit(void *ctx, const unsigned char *key, size_t keylen, + const unsigned char *iv, size_t ivlen, + const OSSL_PARAM params[]) +{ + if (!ossl_cipher_generic_dinit(ctx, key, keylen, iv, ivlen, NULL)) + return 0; + return camellia_cbc_cts_set_ctx_params(ctx, params); +} + +static int camellia_cbc_cts_get_ctx_params(void *vctx, OSSL_PARAM params[]) +{ + PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx; + OSSL_PARAM *p; + + p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_CTS_MODE); + if (p != NULL) { + const char *name = ossl_cipher_cbc_cts_mode_id2name(ctx->cts_mode); + + if (name == NULL || !OSSL_PARAM_set_utf8_string(p, name)) { + ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); + return 0; + } + } + return ossl_cipher_generic_get_ctx_params(vctx, params); +} + +CIPHER_DEFAULT_SETTABLE_CTX_PARAMS_START(camellia_cbc_cts) +OSSL_PARAM_utf8_string(OSSL_CIPHER_PARAM_CTS_MODE, NULL, 0), +CIPHER_DEFAULT_SETTABLE_CTX_PARAMS_END(camellia_cbc_cts) + +static int camellia_cbc_cts_set_ctx_params(void *vctx, const OSSL_PARAM params[]) +{ + PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx; + const OSSL_PARAM *p; + int id; + + p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_CTS_MODE); + if (p != NULL) { + if (p->data_type != OSSL_PARAM_UTF8_STRING) + goto err; + id = ossl_cipher_cbc_cts_mode_name2id(p->data); + if (id < 0) + goto err; + + ctx->cts_mode = (unsigned int)id; + } + return ossl_cipher_generic_set_ctx_params(vctx, params); +err: + ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); + return 0; +} + +/* ossl_camellia256cbc_cts_functions */ +IMPLEMENT_cts_cipher(camellia, CAMELLIA, cbc, CBC, CTS_FLAGS, 256, 128, 128, block) +/* ossl_camellia192cbc_cts_functions */ +IMPLEMENT_cts_cipher(camellia, CAMELLIA, cbc, CBC, CTS_FLAGS, 192, 128, 128, block) +/* ossl_camellia128cbc_cts_functions */ +IMPLEMENT_cts_cipher(camellia, CAMELLIA, cbc, CBC, CTS_FLAGS, 128, 128, 128, block) diff --git a/providers/implementations/include/prov/implementations.h b/providers/implementations/include/prov/implementations.h index c80b0dcfa37..8bdd491d0d9 100644 --- a/providers/implementations/include/prov/implementations.h +++ b/providers/implementations/include/prov/implementations.h @@ -129,6 +129,9 @@ extern const OSSL_DISPATCH ossl_camellia128ecb_functions[]; extern const OSSL_DISPATCH ossl_camellia256cbc_functions[]; extern const OSSL_DISPATCH ossl_camellia192cbc_functions[]; extern const OSSL_DISPATCH ossl_camellia128cbc_functions[]; +extern const OSSL_DISPATCH ossl_camellia256cbc_cts_functions[]; +extern const OSSL_DISPATCH ossl_camellia192cbc_cts_functions[]; +extern const OSSL_DISPATCH ossl_camellia128cbc_cts_functions[]; extern const OSSL_DISPATCH ossl_camellia256ofb_functions[]; extern const OSSL_DISPATCH ossl_camellia192ofb_functions[]; extern const OSSL_DISPATCH ossl_camellia128ofb_functions[]; diff --git a/providers/implementations/include/prov/names.h b/providers/implementations/include/prov/names.h index b05776e4f62..e0dbb69a9d8 100644 --- a/providers/implementations/include/prov/names.h +++ b/providers/implementations/include/prov/names.h @@ -130,6 +130,9 @@ #define PROV_NAMES_CAMELLIA_256_CBC "CAMELLIA-256-CBC:CAMELLIA256:1.2.392.200011.61.1.1.1.4" #define PROV_NAMES_CAMELLIA_192_CBC "CAMELLIA-192-CBC:CAMELLIA192:1.2.392.200011.61.1.1.1.3" #define PROV_NAMES_CAMELLIA_128_CBC "CAMELLIA-128-CBC:CAMELLIA128:1.2.392.200011.61.1.1.1.2" +#define PROV_NAMES_CAMELLIA_256_CBC_CTS "CAMELLIA-256-CBC-CTS" +#define PROV_NAMES_CAMELLIA_192_CBC_CTS "CAMELLIA-192-CBC-CTS" +#define PROV_NAMES_CAMELLIA_128_CBC_CTS "CAMELLIA-128-CBC-CTS" #define PROV_NAMES_CAMELLIA_256_OFB "CAMELLIA-256-OFB:0.3.4401.5.3.1.9.43" #define PROV_NAMES_CAMELLIA_192_OFB "CAMELLIA-192-OFB:0.3.4401.5.3.1.9.23" #define PROV_NAMES_CAMELLIA_128_OFB "CAMELLIA-128-OFB:0.3.4401.5.3.1.9.3" diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t index 96fc394fca3..7ae546e1d70 100644 --- a/test/recipes/30-test_evp.t +++ b/test/recipes/30-test_evp.t @@ -86,6 +86,7 @@ my @defltfiles = qw( evpciph_aria.txt evpciph_bf.txt evpciph_camellia.txt + evpciph_camellia_cts.txt evpciph_cast5.txt evpciph_chacha.txt evpciph_des.txt diff --git a/test/recipes/30-test_evp_data/evpciph_camellia_cts.txt b/test/recipes/30-test_evp_data/evpciph_camellia_cts.txt new file mode 100644 index 00000000000..4bc698e3ca4 --- /dev/null +++ b/test/recipes/30-test_evp_data/evpciph_camellia_cts.txt @@ -0,0 +1,141 @@ +# +# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +Title = Camellia CTS tests from RFC6803 + +# The encryption test vectors in RFC6803 specify the base_key, +# not the derived encryption key. +# The encryption key was manually derived using: +# ke = KBKDF(mac = CMAC, mode = FEEDBACK, base_key, +# salt = 0000000 || usage || AA, +# seed = 00000000000000000000000000000000) +# NOTE: that the usage was not specified in the test vectors, +# but is listed here in https://www.rfc-editor.org/errata_search.php?rfc=6803 +# +# e.g: openssl kdf -cipher CAMELLIA-128-CBC +# -keylen 16 +# -kdfopt hexkey:1DC46A8D763F4F93742BCBA3387576C3 +# -kdfopt hexsalt:00000000AA +# -kdfopt mode:FEEDBACK +# -kdfopt hexseed:00000000000000000000000000000000 +# -mac CMAC +# KBKDF +# +# The ciphertext result also contains a MAC result so this was also manually stripped from the test data. +# The random confounder is also prepended to the plaintext. +# + +# 128-bit Camellia key: 1DC46A8D763F4F93742BCBA3387576C3 +# Key usage: 0 +# Random confounder: B69822A19A6B09C0EBC8557D1F1B6C0A +# Plaintext: (empty) +Cipher = CAMELLIA-128-CBC-CTS +CTSMode = CS3 +Key = E99B82B36C4AE8EA19E95DFA9EDE882C +IV = 00000000000000000000000000000000 +Plaintext = B69822A19A6B09C0EBC8557D1F1B6C0A +Ciphertext = C466F1871069921EDB7C6FDE244A52DB + +# 128-bit Camellia key: 5027BC231D0F3A9D23333F1CA6FDBE7C +# Key usage: 1 +# Random confounder: 6F2FC3C2A166FD8898967A83DE9596D9 +# Plaintext: 1 (31) +Cipher = CAMELLIA-128-CBC-CTS +CTSMode = CS3 +Key = A7EDCD5397EA6D12B0AFF4CB8DAA57AD +IV = 00000000000000000000000000000000 +Plaintext = 6F2FC3C2A166FD8898967A83DE9596D931 +Ciphertext = 842D21FD950311C0DD464A3F4BE8D6DA88 + +# 128-bit Camellia key: A1BB61E805F9BA6DDE8FDBDDC05CDEA0 +# Key usage: 2 +# Random confounder: A5B4A71E077AEEF93C8763C18FDB1F10 +# Plaintext: 9 bytesss (392062797465737373) +Cipher = CAMELLIA-128-CBC-CTS +CTSMode = CS3 +Key = DDE42ECA7CD9863FC3CE89CBC94362D7 +IV = 00000000000000000000000000000000 +Plaintext = A5B4A71E077AEEF93C8763C18FDB1F10392062797465737373 +Ciphertext = 619FF072E36286FF0A28DEB3A352EC0D0EDF5C5160D663C901 + +# 128-bit Camellia key: 2CA27A5FAF5532244506434E1CEF6676 +# Key usage: 3 +# Random confounder: 19FEE40D810C524B5B22F01874C693DA +# Plaintext: 13 bytes byte (31332062797465732062797465) +Cipher = CAMELLIA-128-CBC-CTS +CTSMode = CS3 +Key = C3113A258590B9AEBF721B1AF6B0CBF8 +IV = 00000000000000000000000000000000 +Plaintext = 19FEE40D810C524B5B22F01874C693DA31332062797465732062797465 +Ciphertext = B8ECA3167AE6315512E59F98A7C500205E5F63FF3BB389AF1C41A21D64 + +# 128-bit Camellia key: 7824F8C16F83FF354C6BF7515B973F43 +# Key usage: 4 +# Random confounder: CA7A7AB4BE192DABD603506DB19C39E2 +# Plaintext: 30 bytes bytes bytes bytes byt (333020627974657320627974657320627974657320627974657320627974) +Cipher = CAMELLIA-128-CBC-CTS +CTSMode = CS3 +Key = 8B07EED30149916AA20DB3F5CED8AFAD +IV = 00000000000000000000000000000000 +Plaintext = CA7A7AB4BE192DABD603506DB19C39E2333020627974657320627974657320627974657320627974657320627974 +Ciphertext = A26A3905A4FFD5816B7B1E27380D08090C8EC1F304496E1ABDCD2BDCD1DFFC660989E117A713DDBB57A4146C1587 + +# 256-bit Camellia key: B61C86CC4E5D2757545AD423399FB7031ECAB913CBB900BD7A3C6DD8BF92015B +# Key usage: 0 +# Random confounder: 3CBBD2B45917941067F96599BB98926C +# Plaintext: (empty) +Cipher = CAMELLIA-256-CBC-CTS +CTSMode = CS3 +Key = 6CCB3F25D8AE57F4E8F6CA474BDDEFF116CE131B3F71012E756D6B1E3F70A7F1 +IV = 00000000000000000000000000000000 +Plaintext = 3CBBD2B45917941067F96599BB98926C +Ciphertext = 03886D03310B47A6D8F06D7B94D1DD83 + +# 256-bit Camellia key: 1B97FE0A190E2021EB30753E1B6E1E77B0754B1D684610355864104963463833 +# Key usage: 1 +# Random confounder: DEF487FCEBE6DE6346D4DA4521BBA2D2 +# Plaintext: 1 (31) +Cipher = CAMELLIA-256-CBC-CTS +CTSMode = CS3 +Key = E93173AA01EB3C246231DAFC7802EE32AF24851D8C7387D18CB9B2C5B7F570B8 +IV = 00000000000000000000000000000000 +Plaintext = DEF487FCEBE6DE6346D4DA4521BBA2D231 +Ciphertext = 2C9C1570133C99BF6A34BC1B0212002FD1 + +# 256-bit Camellia key: 32164C5B434D1D1538E4CFD9BE8040FE8C4AC7ACC4B93D3314D2133668147A05 +# Key usage: 2 +# Random confounder: AD4FF904D34E555384B14100FC465F88 +# Plaintext: 9 bytesss (392062797465737373) +Cipher = CAMELLIA-256-CBC-CTS +CTSMode = CS3 +Key = CDA2D39A9B243FFEB56E8D5F4BD528741ECB520C62123FB040B8418B15C7D70C +IV = 00000000000000000000000000000000 +Plaintext = AD4FF904D34E555384B14100FC465F88392062797465737373 +Ciphertext = 9C6DE75F812DE7ED0D28B2963557A115640998275B0AF51527 + +# 256-bit Camellia key: B038B132CD8E06612267FAB7170066D88AECCBA0B744BFC60DC89BCA182D0715 +# Key usage: 3 +# Random confounder: CF9BCA6DF1144E0C0AF9B8F34C90D514 +# Plaintext: 13 bytes byte (31332062797465732062797465) +Cipher = CAMELLIA-256-CBC-CTS +CTSMode = CS3 +Key = CD8A10E279DADDB6901EC30BDF9873250F6EFC6A77367D74DC3EE7F74BC7774E +IV = 00000000000000000000000000000000 +Plaintext = CF9BCA6DF1144E0C0AF9B8F34C90D51431332062797465732062797465 +Ciphertext = EEEC85A9813CDC536772AB9B42DEFC5706F726E975DDE05A87EB5406EA + +# 256-bit Camellia key: CCFCD349BF4C6677E86E4B02B8EAB924A546AC731CF9BF6989B996E7D6BFBBA7 +# Key usage: 4 +# Random confounder: 644DEF38DA35007275878D216855E228 +# Plaintext: 30 bytes bytes bytes bytes byt (333020627974657320627974657320627974657320627974657320627974) +Cipher = CAMELLIA-256-CBC-CTS +CTSMode = CS3 +Key = 1D5147F34BB001A04A68A71346E7654E0223A60D90BC2B79B4D87956D47CD42A +IV = 00000000000000000000000000000000 +Plaintext = 644DEF38DA35007275878D216855E228333020627974657320627974657320627974657320627974657320627974 +Ciphertext = 0E44680985855F2D1F1812529CA83BFD8E349DE6FD9ADA0BAAA048D68E265FEBF34AD1255A344999AD37146887A6