Refactor cipher aes_cts code so that it can be used by other 128bit ciphers

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16286)
This commit is contained in:
Shane Lontis 2021-08-12 18:20:48 +10:00 committed by Pauli
parent 43cf27c9a4
commit 42281f2617
5 changed files with 110 additions and 109 deletions

View File

@ -47,7 +47,7 @@ SOURCE[$AES_GOAL]=\
cipher_aes_wrp.c \
cipher_aes_cbc_hmac_sha.c \
cipher_aes_cbc_hmac_sha256_hw.c cipher_aes_cbc_hmac_sha1_hw.c \
cipher_aes_cts.c
cipher_cts.c
# Extra code to satisfy the FIPS and non-FIPS separation.
# When the AES-xxx-XTS moves to legacy, cipher_aes_xts_fips.c can be removed.

View File

@ -1,16 +0,0 @@
/*
* Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include "crypto/evp.h"
OSSL_FUNC_cipher_update_fn ossl_aes_cbc_cts_block_update;
OSSL_FUNC_cipher_final_fn ossl_aes_cbc_cts_block_final;
const char *ossl_aes_cbc_cts_mode_id2name(unsigned int id);
int ossl_aes_cbc_cts_mode_name2id(const char *name);

View File

@ -10,9 +10,9 @@
/* Dispatch functions for AES CBC CTS ciphers */
#include <openssl/proverr.h>
#include "cipher_aes_cts.h"
#include "cipher_cts.h"
#define AES_CTS_FLAGS PROV_CIPHER_FLAG_CTS
#define CTS_FLAGS PROV_CIPHER_FLAG_CTS
static OSSL_FUNC_cipher_encrypt_init_fn aes_cbc_cts_einit;
static OSSL_FUNC_cipher_decrypt_init_fn aes_cbc_cts_dinit;
@ -50,7 +50,7 @@ static int aes_cbc_cts_get_ctx_params(void *vctx, OSSL_PARAM params[])
p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_CTS_MODE);
if (p != NULL) {
const char *name = ossl_aes_cbc_cts_mode_id2name(ctx->cts_mode);
const char *name = ossl_cipher_cbc_cts_mode_id2name(ctx->cts_mode);
if (name == NULL || !OSSL_PARAM_set_utf8_string(p, name)) {
ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
@ -74,7 +74,7 @@ static int aes_cbc_cts_set_ctx_params(void *vctx, const OSSL_PARAM params[])
if (p != NULL) {
if (p->data_type != OSSL_PARAM_UTF8_STRING)
goto err;
id = ossl_aes_cbc_cts_mode_name2id(p->data);
id = ossl_cipher_cbc_cts_mode_name2id(p->data);
if (id < 0)
goto err;
@ -86,45 +86,9 @@ err:
return 0;
}
/* NOTE: The underlying block cipher is AES CBC so we reuse most of the code */
#define IMPLEMENT_cts_cipher(alg, UCALG, lcmode, UCMODE, flags, kbits, \
blkbits, ivbits, typ) \
static OSSL_FUNC_cipher_get_params_fn alg##_##kbits##_##lcmode##_get_params; \
static int alg##_cts_##kbits##_##lcmode##_get_params(OSSL_PARAM params[]) \
{ \
return ossl_cipher_generic_get_params(params, EVP_CIPH_##UCMODE##_MODE, flags, \
kbits, blkbits, ivbits); \
} \
const OSSL_DISPATCH ossl_##alg##kbits##lcmode##_cts_functions[] = { \
{ OSSL_FUNC_CIPHER_NEWCTX, \
(void (*)(void)) alg##_##kbits##_##lcmode##_newctx }, \
{ OSSL_FUNC_CIPHER_FREECTX, (void (*)(void)) alg##_freectx }, \
{ OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void)) alg##_dupctx }, \
{ OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))aes_cbc_cts_einit }, \
{ OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))aes_cbc_cts_dinit }, \
{ OSSL_FUNC_CIPHER_UPDATE, \
(void (*)(void)) ossl_##alg##_##lcmode##_cts_block_update }, \
{ OSSL_FUNC_CIPHER_FINAL, \
(void (*)(void)) ossl_##alg##_##lcmode##_cts_block_final }, \
{ OSSL_FUNC_CIPHER_CIPHER, (void (*)(void))ossl_cipher_generic_cipher }, \
{ OSSL_FUNC_CIPHER_GET_PARAMS, \
(void (*)(void)) alg##_cts_##kbits##_##lcmode##_get_params }, \
{ OSSL_FUNC_CIPHER_GETTABLE_PARAMS, \
(void (*)(void))ossl_cipher_generic_gettable_params }, \
{ OSSL_FUNC_CIPHER_GET_CTX_PARAMS, \
(void (*)(void))aes_cbc_cts_get_ctx_params }, \
{ OSSL_FUNC_CIPHER_SET_CTX_PARAMS, \
(void (*)(void))aes_cbc_cts_set_ctx_params }, \
{ OSSL_FUNC_CIPHER_GETTABLE_CTX_PARAMS, \
(void (*)(void))aes_cbc_cts_gettable_ctx_params }, \
{ OSSL_FUNC_CIPHER_SETTABLE_CTX_PARAMS, \
(void (*)(void))aes_cbc_cts_settable_ctx_params }, \
{ 0, NULL } \
};
/* ossl_aes256cbc_cts_functions */
IMPLEMENT_cts_cipher(aes, AES, cbc, CBC, AES_CTS_FLAGS, 256, 128, 128, block)
IMPLEMENT_cts_cipher(aes, AES, cbc, CBC, CTS_FLAGS, 256, 128, 128, block)
/* ossl_aes192cbc_cts_functions */
IMPLEMENT_cts_cipher(aes, AES, cbc, CBC, AES_CTS_FLAGS, 192, 128, 128, block)
IMPLEMENT_cts_cipher(aes, AES, cbc, CBC, CTS_FLAGS, 192, 128, 128, block)
/* ossl_aes128cbc_cts_functions */
IMPLEMENT_cts_cipher(aes, AES, cbc, CBC, AES_CTS_FLAGS, 128, 128, 128, block)
IMPLEMENT_cts_cipher(aes, AES, cbc, CBC, CTS_FLAGS, 128, 128, 128, block)

View File

@ -1,5 +1,5 @@
/*
* Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -8,10 +8,10 @@
*/
/*
* Helper functions for AES CBC CTS ciphers.
* Helper functions for 128 bit CBC CTS ciphers (Currently AES and Camellia).
*
* The function dispatch tables are embedded into cipher_aes.c
* using cipher_aes_cts.inc
* and cipher_camellia.c using cipher_aes_cts.inc and cipher_camellia_cts.inc
*/
/*
@ -48,19 +48,20 @@
#include "e_os.h" /* strcasecmp */
#include <openssl/core_names.h>
#include <openssl/aes.h>
#include "prov/ciphercommon.h"
#include "internal/nelem.h"
#include "cipher_aes_cts.h"
#include "cipher_cts.h"
/* The value assigned to 0 is the default */
#define CTS_CS1 0
#define CTS_CS2 1
#define CTS_CS3 2
#define CTS_BLOCK_SIZE 16
typedef union {
size_t align;
unsigned char c[AES_BLOCK_SIZE];
unsigned char c[CTS_BLOCK_SIZE];
} aligned_16bytes;
typedef struct cts_mode_name2id_st {
@ -75,7 +76,7 @@ static CTS_MODE_NAME2ID cts_modes[] =
{ CTS_CS3, OSSL_CIPHER_CTS_MODE_CS3 },
};
const char *ossl_aes_cbc_cts_mode_id2name(unsigned int id)
const char *ossl_cipher_cbc_cts_mode_id2name(unsigned int id)
{
size_t i;
@ -86,7 +87,7 @@ const char *ossl_aes_cbc_cts_mode_id2name(unsigned int id)
return NULL;
}
int ossl_aes_cbc_cts_mode_name2id(const char *name)
int ossl_cipher_cbc_cts_mode_name2id(const char *name)
{
size_t i;
@ -103,7 +104,7 @@ static size_t cts128_cs1_encrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
aligned_16bytes tmp_in;
size_t residue;
residue = len % AES_BLOCK_SIZE;
residue = len % CTS_BLOCK_SIZE;
len -= residue;
if (!ctx->hw->cipher(ctx, out, in, len))
return 0;
@ -116,8 +117,8 @@ static size_t cts128_cs1_encrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
memset(tmp_in.c, 0, sizeof(tmp_in));
memcpy(tmp_in.c, in, residue);
if (!ctx->hw->cipher(ctx, out - AES_BLOCK_SIZE + residue, tmp_in.c,
AES_BLOCK_SIZE))
if (!ctx->hw->cipher(ctx, out - CTS_BLOCK_SIZE + residue, tmp_in.c,
CTS_BLOCK_SIZE))
return 0;
return len + residue;
}
@ -137,7 +138,7 @@ static size_t cts128_cs1_decrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
aligned_16bytes mid_iv, ct_mid, pt_last;
size_t residue;
residue = len % AES_BLOCK_SIZE;
residue = len % CTS_BLOCK_SIZE;
if (residue == 0) {
/* If there are no partial blocks then it is the same as CBC mode */
if (!ctx->hw->cipher(ctx, out, in, len))
@ -145,7 +146,7 @@ static size_t cts128_cs1_decrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
return len;
}
/* Process blocks at the start - but leave the last 2 blocks */
len -= AES_BLOCK_SIZE + residue;
len -= CTS_BLOCK_SIZE + residue;
if (len > 0) {
if (!ctx->hw->cipher(ctx, out, in, len))
return 0;
@ -153,11 +154,11 @@ static size_t cts128_cs1_decrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
out += len;
}
/* Save the iv that will be used by the second last block */
memcpy(mid_iv.c, ctx->iv, AES_BLOCK_SIZE);
memcpy(mid_iv.c, ctx->iv, CTS_BLOCK_SIZE);
/* Decrypt the last block first using an iv of zero */
memset(ctx->iv, 0, AES_BLOCK_SIZE);
if (!ctx->hw->cipher(ctx, pt_last.c, in + residue, AES_BLOCK_SIZE))
memset(ctx->iv, 0, CTS_BLOCK_SIZE);
if (!ctx->hw->cipher(ctx, pt_last.c, in + residue, CTS_BLOCK_SIZE))
return 0;
/*
@ -166,26 +167,26 @@ static size_t cts128_cs1_decrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
* of the partial second last block.
*/
memcpy(ct_mid.c, in, residue);
memcpy(ct_mid.c + residue, pt_last.c + residue, AES_BLOCK_SIZE - residue);
memcpy(ct_mid.c + residue, pt_last.c + residue, CTS_BLOCK_SIZE - residue);
/*
* Restore the last partial ciphertext block.
* Now that we have the cipher text of the second last block, apply
* that to the partial plaintext end block. We have already decrypted the
* block using an IV of zero. For decryption the IV is just XORed after
* doing an AES block - so just XOR in the cipher text.
* doing an Cipher CBC block - so just XOR in the cipher text.
*/
do_xor(ct_mid.c, pt_last.c, residue, out + AES_BLOCK_SIZE);
do_xor(ct_mid.c, pt_last.c, residue, out + CTS_BLOCK_SIZE);
/* Restore the iv needed by the second last block */
memcpy(ctx->iv, mid_iv.c, AES_BLOCK_SIZE);
memcpy(ctx->iv, mid_iv.c, CTS_BLOCK_SIZE);
/*
* Decrypt the second last plaintext block now that we have rebuilt the
* ciphertext.
*/
if (!ctx->hw->cipher(ctx, out, ct_mid.c, AES_BLOCK_SIZE))
if (!ctx->hw->cipher(ctx, out, ct_mid.c, CTS_BLOCK_SIZE))
return 0;
return len + AES_BLOCK_SIZE + residue;
return len + CTS_BLOCK_SIZE + residue;
}
static size_t cts128_cs3_encrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
@ -194,12 +195,12 @@ static size_t cts128_cs3_encrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
aligned_16bytes tmp_in;
size_t residue;
if (len <= AES_BLOCK_SIZE) /* CS3 requires 2 blocks */
if (len <= CTS_BLOCK_SIZE) /* CS3 requires 2 blocks */
return 0;
residue = len % AES_BLOCK_SIZE;
residue = len % CTS_BLOCK_SIZE;
if (residue == 0)
residue = AES_BLOCK_SIZE;
residue = CTS_BLOCK_SIZE;
len -= residue;
if (!ctx->hw->cipher(ctx, out, in, len))
@ -210,8 +211,8 @@ static size_t cts128_cs3_encrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
memset(tmp_in.c, 0, sizeof(tmp_in));
memcpy(tmp_in.c, in, residue);
memcpy(out, out - AES_BLOCK_SIZE, residue);
if (!ctx->hw->cipher(ctx, out - AES_BLOCK_SIZE, tmp_in.c, AES_BLOCK_SIZE))
memcpy(out, out - CTS_BLOCK_SIZE, residue);
if (!ctx->hw->cipher(ctx, out - CTS_BLOCK_SIZE, tmp_in.c, CTS_BLOCK_SIZE))
return 0;
return len + residue;
}
@ -230,14 +231,14 @@ static size_t cts128_cs3_decrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
aligned_16bytes mid_iv, ct_mid, pt_last;
size_t residue;
if (len <= AES_BLOCK_SIZE) /* CS3 requires 2 blocks */
if (len <= CTS_BLOCK_SIZE) /* CS3 requires 2 blocks */
return 0;
/* Process blocks at the start - but leave the last 2 blocks */
residue = len % AES_BLOCK_SIZE;
residue = len % CTS_BLOCK_SIZE;
if (residue == 0)
residue = AES_BLOCK_SIZE;
len -= AES_BLOCK_SIZE + residue;
residue = CTS_BLOCK_SIZE;
len -= CTS_BLOCK_SIZE + residue;
if (len > 0) {
if (!ctx->hw->cipher(ctx, out, in, len))
@ -246,11 +247,11 @@ static size_t cts128_cs3_decrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
out += len;
}
/* Save the iv that will be used by the second last block */
memcpy(mid_iv.c, ctx->iv, AES_BLOCK_SIZE);
memcpy(mid_iv.c, ctx->iv, CTS_BLOCK_SIZE);
/* Decrypt the Cn block first using an iv of zero */
memset(ctx->iv, 0, AES_BLOCK_SIZE);
if (!ctx->hw->cipher(ctx, pt_last.c, in, AES_BLOCK_SIZE))
memset(ctx->iv, 0, CTS_BLOCK_SIZE);
if (!ctx->hw->cipher(ctx, pt_last.c, in, CTS_BLOCK_SIZE))
return 0;
/*
@ -258,9 +259,9 @@ static size_t cts128_cs3_decrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
* the decrypted C(n) block + replace the start with the ciphertext bytes
* of the partial last block.
*/
memcpy(ct_mid.c, in + AES_BLOCK_SIZE, residue);
if (residue != AES_BLOCK_SIZE)
memcpy(ct_mid.c + residue, pt_last.c + residue, AES_BLOCK_SIZE - residue);
memcpy(ct_mid.c, in + CTS_BLOCK_SIZE, residue);
if (residue != CTS_BLOCK_SIZE)
memcpy(ct_mid.c + residue, pt_last.c + residue, CTS_BLOCK_SIZE - residue);
/*
* Restore the last partial ciphertext block.
* Now that we have the cipher text of the second last block, apply
@ -268,24 +269,24 @@ static size_t cts128_cs3_decrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
* block using an IV of zero. For decryption the IV is just XORed after
* doing an AES block - so just XOR in the ciphertext.
*/
do_xor(ct_mid.c, pt_last.c, residue, out + AES_BLOCK_SIZE);
do_xor(ct_mid.c, pt_last.c, residue, out + CTS_BLOCK_SIZE);
/* Restore the iv needed by the second last block */
memcpy(ctx->iv, mid_iv.c, AES_BLOCK_SIZE);
memcpy(ctx->iv, mid_iv.c, CTS_BLOCK_SIZE);
/*
* Decrypt the second last plaintext block now that we have rebuilt the
* ciphertext.
*/
if (!ctx->hw->cipher(ctx, out, ct_mid.c, AES_BLOCK_SIZE))
if (!ctx->hw->cipher(ctx, out, ct_mid.c, CTS_BLOCK_SIZE))
return 0;
return len + AES_BLOCK_SIZE + residue;
return len + CTS_BLOCK_SIZE + residue;
}
static size_t cts128_cs2_encrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
unsigned char *out, size_t len)
{
if (len % AES_BLOCK_SIZE == 0) {
if (len % CTS_BLOCK_SIZE == 0) {
/* If there are no partial blocks then it is the same as CBC mode */
if (!ctx->hw->cipher(ctx, out, in, len))
return 0;
@ -298,7 +299,7 @@ static size_t cts128_cs2_encrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
static size_t cts128_cs2_decrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
unsigned char *out, size_t len)
{
if (len % AES_BLOCK_SIZE == 0) {
if (len % CTS_BLOCK_SIZE == 0) {
/* If there are no partial blocks then it is the same as CBC mode */
if (!ctx->hw->cipher(ctx, out, in, len))
return 0;
@ -308,14 +309,14 @@ static size_t cts128_cs2_decrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
return cts128_cs3_decrypt(ctx, in, out, len);
}
int ossl_aes_cbc_cts_block_update(void *vctx, unsigned char *out, size_t *outl,
size_t outsize, const unsigned char *in,
size_t inl)
int ossl_cipher_cbc_cts_block_update(void *vctx, unsigned char *out, size_t *outl,
size_t outsize, const unsigned char *in,
size_t inl)
{
PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
size_t sz = 0;
if (inl < AES_BLOCK_SIZE) /* There must be at least one block for CTS mode */
if (inl < CTS_BLOCK_SIZE) /* There must be at least one block for CTS mode */
return 0;
if (outsize < inl)
return 0;
@ -353,8 +354,8 @@ int ossl_aes_cbc_cts_block_update(void *vctx, unsigned char *out, size_t *outl,
return 1;
}
int ossl_aes_cbc_cts_block_final(void *vctx, unsigned char *out, size_t *outl,
size_t outsize)
int ossl_cipher_cbc_cts_block_final(void *vctx, unsigned char *out, size_t *outl,
size_t outsize)
{
*outl = 0;
return 1;

View File

@ -0,0 +1,52 @@
/*
* Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include "crypto/evp.h"
/* NOTE: The underlying block cipher is CBC so we reuse most of the code */
#define IMPLEMENT_cts_cipher(alg, UCALG, lcmode, UCMODE, flags, kbits, \
blkbits, ivbits, typ) \
static OSSL_FUNC_cipher_get_params_fn alg##_##kbits##_##lcmode##_get_params; \
static int alg##_cts_##kbits##_##lcmode##_get_params(OSSL_PARAM params[]) \
{ \
return ossl_cipher_generic_get_params(params, EVP_CIPH_##UCMODE##_MODE, \
flags, kbits, blkbits, ivbits); \
} \
const OSSL_DISPATCH ossl_##alg##kbits##lcmode##_cts_functions[] = { \
{ OSSL_FUNC_CIPHER_NEWCTX, \
(void (*)(void)) alg##_##kbits##_##lcmode##_newctx }, \
{ OSSL_FUNC_CIPHER_FREECTX, (void (*)(void)) alg##_freectx }, \
{ OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void)) alg##_dupctx }, \
{ OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void)) alg##_cbc_cts_einit }, \
{ OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void)) alg##_cbc_cts_dinit }, \
{ OSSL_FUNC_CIPHER_UPDATE, \
(void (*)(void)) ossl_cipher_cbc_cts_block_update }, \
{ OSSL_FUNC_CIPHER_FINAL, \
(void (*)(void)) ossl_cipher_cbc_cts_block_final }, \
{ OSSL_FUNC_CIPHER_CIPHER, (void (*)(void))ossl_cipher_generic_cipher }, \
{ OSSL_FUNC_CIPHER_GET_PARAMS, \
(void (*)(void)) alg##_cts_##kbits##_##lcmode##_get_params }, \
{ OSSL_FUNC_CIPHER_GETTABLE_PARAMS, \
(void (*)(void))ossl_cipher_generic_gettable_params }, \
{ OSSL_FUNC_CIPHER_GET_CTX_PARAMS, \
(void (*)(void)) alg##_cbc_cts_get_ctx_params }, \
{ OSSL_FUNC_CIPHER_SET_CTX_PARAMS, \
(void (*)(void)) alg##_cbc_cts_set_ctx_params }, \
{ OSSL_FUNC_CIPHER_GETTABLE_CTX_PARAMS, \
(void (*)(void)) alg##_cbc_cts_gettable_ctx_params }, \
{ OSSL_FUNC_CIPHER_SETTABLE_CTX_PARAMS, \
(void (*)(void)) alg##_cbc_cts_settable_ctx_params }, \
{ 0, NULL } \
};
OSSL_FUNC_cipher_update_fn ossl_cipher_cbc_cts_block_update;
OSSL_FUNC_cipher_final_fn ossl_cipher_cbc_cts_block_final;
const char *ossl_cipher_cbc_cts_mode_id2name(unsigned int id);
int ossl_cipher_cbc_cts_mode_name2id(const char *name);