[openssl] master update
Dr. Paul Dale
pauli at openssl.org
Tue Aug 17 22:40:15 UTC 2021
The branch master has been updated
via 46ac83eaf30efb676d12583080216f354951e0ae (commit)
via 7daabe78a04902d3ae53af3e4a2acfdf6a1f1ec9 (commit)
via 7f5a9399d27564a7136eed2df693755a3bec2cfc (commit)
via 42281f26174dcc6ef4847894f17627f305bdfa2b (commit)
from 43cf27c9a4fe135013dd4127dd4bcf862d1cb503 (commit)
- Log -----------------------------------------------------------------
commit 46ac83eaf30efb676d12583080216f354951e0ae
Author: Shane Lontis <shane.lontis at oracle.com>
Date: Fri Aug 13 14:36:21 2021 +1000
Fix CTS cipher decrypt so that the updated IV is returned correctly.
Adding KRB5 test vector 'NextIV' values to evp_test data for AES CTS indicated that the CTS decrypt functions incorrectly returned the wrong IV. The returned IV should match the value returned by the encrypt methods.
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16286)
commit 7daabe78a04902d3ae53af3e4a2acfdf6a1f1ec9
Author: Shane Lontis <shane.lontis at oracle.com>
Date: Thu Aug 12 19:20:05 2021 +1000
Change CTS CS3 (Kerberos) so that it accepts a 16 byte input block
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16286)
commit 7f5a9399d27564a7136eed2df693755a3bec2cfc
Author: Shane Lontis <shane.lontis at oracle.com>
Date: Thu Aug 12 18:22:50 2021 +1000
Add support for camellia cbc cts mode
Fixes #16276
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16286)
commit 42281f26174dcc6ef4847894f17627f305bdfa2b
Author: Shane Lontis <shane.lontis at oracle.com>
Date: Thu Aug 12 18:20:48 2021 +1000
Refactor cipher aes_cts code so that it can be used by other 128bit ciphers
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16286)
-----------------------------------------------------------------------
Summary of changes:
doc/man3/EVP_EncryptInit.pod | 20 +--
doc/man7/EVP_CIPHER-CAMELLIA.pod | 2 +
doc/man7/migration_guide.pod | 18 ++-
providers/defltprov.c | 3 +
providers/implementations/ciphers/build.info | 2 +-
providers/implementations/ciphers/cipher_aes_cts.h | 16 ---
.../implementations/ciphers/cipher_aes_cts.inc | 50 +-------
.../implementations/ciphers/cipher_camellia.c | 1 +
.../ciphers/cipher_camellia_cts.inc | 94 ++++++++++++++
.../ciphers/{cipher_aes_cts.c => cipher_cts.c} | 122 ++++++++++--------
providers/implementations/ciphers/cipher_cts.h | 52 ++++++++
.../implementations/include/prov/implementations.h | 3 +
providers/implementations/include/prov/names.h | 3 +
test/recipes/30-test_evp.t | 1 +
test/recipes/30-test_evp_data/evpciph_aes_cts.txt | 40 +++++-
.../30-test_evp_data/evpciph_camellia_cts.txt | 141 +++++++++++++++++++++
16 files changed, 444 insertions(+), 124 deletions(-)
delete mode 100644 providers/implementations/ciphers/cipher_aes_cts.h
create mode 100644 providers/implementations/ciphers/cipher_camellia_cts.inc
rename providers/implementations/ciphers/{cipher_aes_cts.c => cipher_cts.c} (72%)
create mode 100644 providers/implementations/ciphers/cipher_cts.h
create mode 100644 test/recipes/30-test_evp_data/evpciph_camellia_cts.txt
diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod
index a03c31ea35..cb36629684 100644
--- a/doc/man3/EVP_EncryptInit.pod
+++ b/doc/man3/EVP_EncryptInit.pod
@@ -738,7 +738,8 @@ that has the flag B<EVP_CIPH_FLAG_CUSTOM_ASN1> set.
=item "cts_mode" (B<OSSL_CIPHER_PARAM_CTS_MODE>) <UTF8 string>
Gets or sets the cipher text stealing mode. For all modes the output size is the
-same as the input size.
+same as the input size. The input length must be greater than or equal to the
+block size. (The block size for AES and CAMELLIA is 16 bytes).
Valid values for the mode are:
@@ -747,25 +748,28 @@ Valid values for the mode are:
=item "CS1"
The NIST variant of cipher text stealing.
-For message lengths that are multiples of the block size it is equivalent to
-using a "AES-CBC" cipher otherwise the second last cipher text block is a
-partial block.
+For input lengths that are multiples of the block size it is equivalent to
+using a "AES-XXX-CBC" or "CAMELLIA-XXX-CBC" cipher otherwise the second last
+cipher text block is a partial block.
=item "CS2"
-For message lengths that are multiples of the block size it is equivalent to
-using a "AES-CBC" cipher, otherwise it is the same as "CS3".
+For input lengths that are multiples of the block size it is equivalent to
+using a "AES-XXX-CBC" or "CAMELLIA-XXX-CBC" cipher, otherwise it is the same as
+"CS3" mode.
=item "CS3"
The Kerberos5 variant of cipher text stealing which always swaps the last
cipher text block with the previous block (which may be a partial or full block
-depending on the input length).
+depending on the input length). If the input length is exactly one full block
+then this is equivalent to using a "AES-XXX-CBC" or "CAMELLIA-XXX-CBC" cipher.
=back
The default is "CS1".
-This is only supported for "AES-128-CBC-CTS", "AES-192-CBC-CTS" and "AES-256-CBC-CTS".
+This is only supported for "AES-128-CBC-CTS", "AES-192-CBC-CTS", "AES-256-CBC-CTS",
+"CAMELLIA-128-CBC-CTS", "CAMELLIA-192-CBC-CTS" and "CAMELLIA-256-CBC-CTS".
=item "tls1multi_interleave" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE>) <unsigned integer>
diff --git a/doc/man7/EVP_CIPHER-CAMELLIA.pod b/doc/man7/EVP_CIPHER-CAMELLIA.pod
index 7b129c6407..bba8001d00 100644
--- a/doc/man7/EVP_CIPHER-CAMELLIA.pod
+++ b/doc/man7/EVP_CIPHER-CAMELLIA.pod
@@ -16,6 +16,8 @@ The following algorithms are available in the default provider:
=item "CAMELLIA-128-CBC", "CAMELLIA-192-CBC" and "CAMELLIA-256-CBC"
+=item "CAMELLIA-128-CBC-CTS", "CAMELLIA-192-CBC-CTS" and "CAMELLIA-256-CBC-CTS"
+
=item "CAMELLIA-128-CFB", "CAMELLIA-192-CFB", "CAMELLIA-256-CFB",
"CAMELLIA-128-CFB1", "CAMELLIA-192-CFB1", "CAMELLIA-256-CFB1",
"CAMELLIA-128-CFB8", "CAMELLIA-192-CFB8" and "CAMELLIA-256-CFB8"
diff --git a/doc/man7/migration_guide.pod b/doc/man7/migration_guide.pod
index 8cc017dfa6..7e0bbf465d 100644
--- a/doc/man7/migration_guide.pod
+++ b/doc/man7/migration_guide.pod
@@ -219,9 +219,10 @@ unwrapping. The algorithms are: "AES-128-WRAP-INV", "AES-192-WRAP-INV",
=item *
-AES CTS cipher added to EVP layer.
+CTS ciphers added to EVP layer.
-The algorithms are "AES-128-CBC-CTS", "AES-192-CBC-CTS" and "AES-256-CBC-CTS".
+The algorithms are "AES-128-CBC-CTS", "AES-192-CBC-CTS", "AES-256-CBC-CTS",
+"CAMELLIA-128-CBC-CTS", "CAMELLIA-192-CBC-CTS" and "CAMELLIA-256-CBC-CTS".
CS1, CS2 and CS3 variants are supported.
=back
@@ -1220,6 +1221,19 @@ tools, such as compiler memory and leak sanitizers or Valgrind.
=item *
+CRYPTO_cts128_encrypt_block(), CRYPTO_cts128_encrypt(),
+CRYPTO_cts128_decrypt_block(), CRYPTO_cts128_decrypt(),
+CRYPTO_nistcts128_encrypt_block(), CRYPTO_nistcts128_encrypt(),
+CRYPTO_nistcts128_decrypt_block(), CRYPTO_nistcts128_decrypt()
+
+Use the higher level functions EVP_CipherInit_ex2(), EVP_CipherUpdate() and
+EVP_CipherFinal_ex() instead.
+See the "cts_mode" parameter in
+L<EVP_EncryptInit(3)/Gettable and Settable EVP_CIPHER_CTX parameters>.
+See L<EVP_EncryptInit(3)/EXAMPLES> for a AES-256-CBC-CTS example.
+
+=item *
+
d2i_DHparams(), d2i_DHxparams(), d2i_DSAparams(), d2i_DSAPrivateKey(),
d2i_DSAPrivateKey_bio(), d2i_DSAPrivateKey_fp(), d2i_DSA_PUBKEY(),
d2i_DSA_PUBKEY_bio(), d2i_DSA_PUBKEY_fp(), d2i_DSAPublicKey(),
diff --git a/providers/defltprov.c b/providers/defltprov.c
index 498c4eaa2a..62258da723 100644
--- a/providers/defltprov.c
+++ b/providers/defltprov.c
@@ -251,6 +251,9 @@ static const OSSL_ALGORITHM_CAPABLE deflt_ciphers[] = {
ALG(PROV_NAMES_CAMELLIA_256_CBC, ossl_camellia256cbc_functions),
ALG(PROV_NAMES_CAMELLIA_192_CBC, ossl_camellia192cbc_functions),
ALG(PROV_NAMES_CAMELLIA_128_CBC, ossl_camellia128cbc_functions),
+ ALG(PROV_NAMES_CAMELLIA_128_CBC_CTS, ossl_camellia128cbc_cts_functions),
+ ALG(PROV_NAMES_CAMELLIA_192_CBC_CTS, ossl_camellia192cbc_cts_functions),
+ ALG(PROV_NAMES_CAMELLIA_256_CBC_CTS, ossl_camellia256cbc_cts_functions),
ALG(PROV_NAMES_CAMELLIA_256_OFB, ossl_camellia256ofb_functions),
ALG(PROV_NAMES_CAMELLIA_192_OFB, ossl_camellia192ofb_functions),
ALG(PROV_NAMES_CAMELLIA_128_OFB, ossl_camellia128ofb_functions),
diff --git a/providers/implementations/ciphers/build.info b/providers/implementations/ciphers/build.info
index cb87ea62d9..e4c5f4f051 100644
--- a/providers/implementations/ciphers/build.info
+++ b/providers/implementations/ciphers/build.info
@@ -47,7 +47,7 @@ SOURCE[$AES_GOAL]=\
cipher_aes_wrp.c \
cipher_aes_cbc_hmac_sha.c \
cipher_aes_cbc_hmac_sha256_hw.c cipher_aes_cbc_hmac_sha1_hw.c \
- cipher_aes_cts.c
+ cipher_cts.c
# Extra code to satisfy the FIPS and non-FIPS separation.
# When the AES-xxx-XTS moves to legacy, cipher_aes_xts_fips.c can be removed.
diff --git a/providers/implementations/ciphers/cipher_aes_cts.h b/providers/implementations/ciphers/cipher_aes_cts.h
deleted file mode 100644
index 37dd3df329..0000000000
--- a/providers/implementations/ciphers/cipher_aes_cts.h
+++ /dev/null
@@ -1,16 +0,0 @@
-/*
- * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include "crypto/evp.h"
-
-OSSL_FUNC_cipher_update_fn ossl_aes_cbc_cts_block_update;
-OSSL_FUNC_cipher_final_fn ossl_aes_cbc_cts_block_final;
-
-const char *ossl_aes_cbc_cts_mode_id2name(unsigned int id);
-int ossl_aes_cbc_cts_mode_name2id(const char *name);
diff --git a/providers/implementations/ciphers/cipher_aes_cts.inc b/providers/implementations/ciphers/cipher_aes_cts.inc
index 2a3b88b2c0..1fb5ec3553 100644
--- a/providers/implementations/ciphers/cipher_aes_cts.inc
+++ b/providers/implementations/ciphers/cipher_aes_cts.inc
@@ -10,9 +10,9 @@
/* Dispatch functions for AES CBC CTS ciphers */
#include <openssl/proverr.h>
-#include "cipher_aes_cts.h"
+#include "cipher_cts.h"
-#define AES_CTS_FLAGS PROV_CIPHER_FLAG_CTS
+#define CTS_FLAGS PROV_CIPHER_FLAG_CTS
static OSSL_FUNC_cipher_encrypt_init_fn aes_cbc_cts_einit;
static OSSL_FUNC_cipher_decrypt_init_fn aes_cbc_cts_dinit;
@@ -50,7 +50,7 @@ static int aes_cbc_cts_get_ctx_params(void *vctx, OSSL_PARAM params[])
p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_CTS_MODE);
if (p != NULL) {
- const char *name = ossl_aes_cbc_cts_mode_id2name(ctx->cts_mode);
+ const char *name = ossl_cipher_cbc_cts_mode_id2name(ctx->cts_mode);
if (name == NULL || !OSSL_PARAM_set_utf8_string(p, name)) {
ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
@@ -74,7 +74,7 @@ static int aes_cbc_cts_set_ctx_params(void *vctx, const OSSL_PARAM params[])
if (p != NULL) {
if (p->data_type != OSSL_PARAM_UTF8_STRING)
goto err;
- id = ossl_aes_cbc_cts_mode_name2id(p->data);
+ id = ossl_cipher_cbc_cts_mode_name2id(p->data);
if (id < 0)
goto err;
@@ -86,45 +86,9 @@ err:
return 0;
}
-/* NOTE: The underlying block cipher is AES CBC so we reuse most of the code */
-#define IMPLEMENT_cts_cipher(alg, UCALG, lcmode, UCMODE, flags, kbits, \
- blkbits, ivbits, typ) \
-static OSSL_FUNC_cipher_get_params_fn alg##_##kbits##_##lcmode##_get_params; \
-static int alg##_cts_##kbits##_##lcmode##_get_params(OSSL_PARAM params[]) \
-{ \
- return ossl_cipher_generic_get_params(params, EVP_CIPH_##UCMODE##_MODE, flags, \
- kbits, blkbits, ivbits); \
-} \
-const OSSL_DISPATCH ossl_##alg##kbits##lcmode##_cts_functions[] = { \
- { OSSL_FUNC_CIPHER_NEWCTX, \
- (void (*)(void)) alg##_##kbits##_##lcmode##_newctx }, \
- { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void)) alg##_freectx }, \
- { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void)) alg##_dupctx }, \
- { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))aes_cbc_cts_einit }, \
- { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))aes_cbc_cts_dinit }, \
- { OSSL_FUNC_CIPHER_UPDATE, \
- (void (*)(void)) ossl_##alg##_##lcmode##_cts_block_update }, \
- { OSSL_FUNC_CIPHER_FINAL, \
- (void (*)(void)) ossl_##alg##_##lcmode##_cts_block_final }, \
- { OSSL_FUNC_CIPHER_CIPHER, (void (*)(void))ossl_cipher_generic_cipher }, \
- { OSSL_FUNC_CIPHER_GET_PARAMS, \
- (void (*)(void)) alg##_cts_##kbits##_##lcmode##_get_params }, \
- { OSSL_FUNC_CIPHER_GETTABLE_PARAMS, \
- (void (*)(void))ossl_cipher_generic_gettable_params }, \
- { OSSL_FUNC_CIPHER_GET_CTX_PARAMS, \
- (void (*)(void))aes_cbc_cts_get_ctx_params }, \
- { OSSL_FUNC_CIPHER_SET_CTX_PARAMS, \
- (void (*)(void))aes_cbc_cts_set_ctx_params }, \
- { OSSL_FUNC_CIPHER_GETTABLE_CTX_PARAMS, \
- (void (*)(void))aes_cbc_cts_gettable_ctx_params }, \
- { OSSL_FUNC_CIPHER_SETTABLE_CTX_PARAMS, \
- (void (*)(void))aes_cbc_cts_settable_ctx_params }, \
- { 0, NULL } \
-};
-
/* ossl_aes256cbc_cts_functions */
-IMPLEMENT_cts_cipher(aes, AES, cbc, CBC, AES_CTS_FLAGS, 256, 128, 128, block)
+IMPLEMENT_cts_cipher(aes, AES, cbc, CBC, CTS_FLAGS, 256, 128, 128, block)
/* ossl_aes192cbc_cts_functions */
-IMPLEMENT_cts_cipher(aes, AES, cbc, CBC, AES_CTS_FLAGS, 192, 128, 128, block)
+IMPLEMENT_cts_cipher(aes, AES, cbc, CBC, CTS_FLAGS, 192, 128, 128, block)
/* ossl_aes128cbc_cts_functions */
-IMPLEMENT_cts_cipher(aes, AES, cbc, CBC, AES_CTS_FLAGS, 128, 128, 128, block)
+IMPLEMENT_cts_cipher(aes, AES, cbc, CBC, CTS_FLAGS, 128, 128, 128, block)
diff --git a/providers/implementations/ciphers/cipher_camellia.c b/providers/implementations/ciphers/cipher_camellia.c
index 02bef547fd..5f0607a199 100644
--- a/providers/implementations/ciphers/cipher_camellia.c
+++ b/providers/implementations/ciphers/cipher_camellia.c
@@ -91,3 +91,4 @@ IMPLEMENT_generic_cipher(camellia, CAMELLIA, ctr, CTR, 0, 192, 8, 128, stream)
/* ossl_camellia128ctr_functions */
IMPLEMENT_generic_cipher(camellia, CAMELLIA, ctr, CTR, 0, 128, 8, 128, stream)
+#include "cipher_camellia_cts.inc"
diff --git a/providers/implementations/ciphers/cipher_camellia_cts.inc b/providers/implementations/ciphers/cipher_camellia_cts.inc
new file mode 100644
index 0000000000..84ea992b8d
--- /dev/null
+++ b/providers/implementations/ciphers/cipher_camellia_cts.inc
@@ -0,0 +1,94 @@
+/*
+ * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/* Dispatch functions for CAMELLIA CBC CTS ciphers */
+
+#include <openssl/proverr.h>
+#include "cipher_cts.h"
+
+#define CTS_FLAGS PROV_CIPHER_FLAG_CTS
+
+static OSSL_FUNC_cipher_encrypt_init_fn camellia_cbc_cts_einit;
+static OSSL_FUNC_cipher_decrypt_init_fn camellia_cbc_cts_dinit;
+static OSSL_FUNC_cipher_get_ctx_params_fn camellia_cbc_cts_get_ctx_params;
+static OSSL_FUNC_cipher_set_ctx_params_fn camellia_cbc_cts_set_ctx_params;
+static OSSL_FUNC_cipher_gettable_ctx_params_fn camellia_cbc_cts_gettable_ctx_params;
+static OSSL_FUNC_cipher_settable_ctx_params_fn camellia_cbc_cts_settable_ctx_params;
+
+CIPHER_DEFAULT_GETTABLE_CTX_PARAMS_START(camellia_cbc_cts)
+OSSL_PARAM_utf8_string(OSSL_CIPHER_PARAM_CTS_MODE, NULL, 0),
+CIPHER_DEFAULT_GETTABLE_CTX_PARAMS_END(camellia_cbc_cts)
+
+static int camellia_cbc_cts_einit(void *ctx, const unsigned char *key, size_t keylen,
+ const unsigned char *iv, size_t ivlen,
+ const OSSL_PARAM params[])
+{
+ if (!ossl_cipher_generic_einit(ctx, key, keylen, iv, ivlen, NULL))
+ return 0;
+ return camellia_cbc_cts_set_ctx_params(ctx, params);
+}
+
+static int camellia_cbc_cts_dinit(void *ctx, const unsigned char *key, size_t keylen,
+ const unsigned char *iv, size_t ivlen,
+ const OSSL_PARAM params[])
+{
+ if (!ossl_cipher_generic_dinit(ctx, key, keylen, iv, ivlen, NULL))
+ return 0;
+ return camellia_cbc_cts_set_ctx_params(ctx, params);
+}
+
+static int camellia_cbc_cts_get_ctx_params(void *vctx, OSSL_PARAM params[])
+{
+ PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
+ OSSL_PARAM *p;
+
+ p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_CTS_MODE);
+ if (p != NULL) {
+ const char *name = ossl_cipher_cbc_cts_mode_id2name(ctx->cts_mode);
+
+ if (name == NULL || !OSSL_PARAM_set_utf8_string(p, name)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+ return 0;
+ }
+ }
+ return ossl_cipher_generic_get_ctx_params(vctx, params);
+}
+
+CIPHER_DEFAULT_SETTABLE_CTX_PARAMS_START(camellia_cbc_cts)
+OSSL_PARAM_utf8_string(OSSL_CIPHER_PARAM_CTS_MODE, NULL, 0),
+CIPHER_DEFAULT_SETTABLE_CTX_PARAMS_END(camellia_cbc_cts)
+
+static int camellia_cbc_cts_set_ctx_params(void *vctx, const OSSL_PARAM params[])
+{
+ PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
+ const OSSL_PARAM *p;
+ int id;
+
+ p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_CTS_MODE);
+ if (p != NULL) {
+ if (p->data_type != OSSL_PARAM_UTF8_STRING)
+ goto err;
+ id = ossl_cipher_cbc_cts_mode_name2id(p->data);
+ if (id < 0)
+ goto err;
+
+ ctx->cts_mode = (unsigned int)id;
+ }
+ return ossl_cipher_generic_set_ctx_params(vctx, params);
+err:
+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+ return 0;
+}
+
+/* ossl_camellia256cbc_cts_functions */
+IMPLEMENT_cts_cipher(camellia, CAMELLIA, cbc, CBC, CTS_FLAGS, 256, 128, 128, block)
+/* ossl_camellia192cbc_cts_functions */
+IMPLEMENT_cts_cipher(camellia, CAMELLIA, cbc, CBC, CTS_FLAGS, 192, 128, 128, block)
+/* ossl_camellia128cbc_cts_functions */
+IMPLEMENT_cts_cipher(camellia, CAMELLIA, cbc, CBC, CTS_FLAGS, 128, 128, 128, block)
diff --git a/providers/implementations/ciphers/cipher_aes_cts.c b/providers/implementations/ciphers/cipher_cts.c
similarity index 72%
rename from providers/implementations/ciphers/cipher_aes_cts.c
rename to providers/implementations/ciphers/cipher_cts.c
index 1eafa39abb..cb3372c646 100644
--- a/providers/implementations/ciphers/cipher_aes_cts.c
+++ b/providers/implementations/ciphers/cipher_cts.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -8,10 +8,10 @@
*/
/*
- * Helper functions for AES CBC CTS ciphers.
+ * Helper functions for 128 bit CBC CTS ciphers (Currently AES and Camellia).
*
* The function dispatch tables are embedded into cipher_aes.c
- * using cipher_aes_cts.inc
+ * and cipher_camellia.c using cipher_aes_cts.inc and cipher_camellia_cts.inc
*/
/*
@@ -48,19 +48,20 @@
#include "e_os.h" /* strcasecmp */
#include <openssl/core_names.h>
-#include <openssl/aes.h>
#include "prov/ciphercommon.h"
#include "internal/nelem.h"
-#include "cipher_aes_cts.h"
+#include "cipher_cts.h"
/* The value assigned to 0 is the default */
#define CTS_CS1 0
#define CTS_CS2 1
#define CTS_CS3 2
+#define CTS_BLOCK_SIZE 16
+
typedef union {
size_t align;
- unsigned char c[AES_BLOCK_SIZE];
+ unsigned char c[CTS_BLOCK_SIZE];
} aligned_16bytes;
typedef struct cts_mode_name2id_st {
@@ -75,7 +76,7 @@ static CTS_MODE_NAME2ID cts_modes[] =
{ CTS_CS3, OSSL_CIPHER_CTS_MODE_CS3 },
};
-const char *ossl_aes_cbc_cts_mode_id2name(unsigned int id)
+const char *ossl_cipher_cbc_cts_mode_id2name(unsigned int id)
{
size_t i;
@@ -86,7 +87,7 @@ const char *ossl_aes_cbc_cts_mode_id2name(unsigned int id)
return NULL;
}
-int ossl_aes_cbc_cts_mode_name2id(const char *name)
+int ossl_cipher_cbc_cts_mode_name2id(const char *name)
{
size_t i;
@@ -103,7 +104,7 @@ static size_t cts128_cs1_encrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
aligned_16bytes tmp_in;
size_t residue;
- residue = len % AES_BLOCK_SIZE;
+ residue = len % CTS_BLOCK_SIZE;
len -= residue;
if (!ctx->hw->cipher(ctx, out, in, len))
return 0;
@@ -116,8 +117,8 @@ static size_t cts128_cs1_encrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
memset(tmp_in.c, 0, sizeof(tmp_in));
memcpy(tmp_in.c, in, residue);
- if (!ctx->hw->cipher(ctx, out - AES_BLOCK_SIZE + residue, tmp_in.c,
- AES_BLOCK_SIZE))
+ if (!ctx->hw->cipher(ctx, out - CTS_BLOCK_SIZE + residue, tmp_in.c,
+ CTS_BLOCK_SIZE))
return 0;
return len + residue;
}
@@ -134,10 +135,10 @@ static void do_xor(const unsigned char *in1, const unsigned char *in2,
static size_t cts128_cs1_decrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
unsigned char *out, size_t len)
{
- aligned_16bytes mid_iv, ct_mid, pt_last;
+ aligned_16bytes mid_iv, ct_mid, cn, pt_last;
size_t residue;
- residue = len % AES_BLOCK_SIZE;
+ residue = len % CTS_BLOCK_SIZE;
if (residue == 0) {
/* If there are no partial blocks then it is the same as CBC mode */
if (!ctx->hw->cipher(ctx, out, in, len))
@@ -145,7 +146,7 @@ static size_t cts128_cs1_decrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
return len;
}
/* Process blocks at the start - but leave the last 2 blocks */
- len -= AES_BLOCK_SIZE + residue;
+ len -= CTS_BLOCK_SIZE + residue;
if (len > 0) {
if (!ctx->hw->cipher(ctx, out, in, len))
return 0;
@@ -153,11 +154,13 @@ static size_t cts128_cs1_decrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
out += len;
}
/* Save the iv that will be used by the second last block */
- memcpy(mid_iv.c, ctx->iv, AES_BLOCK_SIZE);
+ memcpy(mid_iv.c, ctx->iv, CTS_BLOCK_SIZE);
+ /* Save the C(n) block */
+ memcpy(cn.c, in + residue, CTS_BLOCK_SIZE);
/* Decrypt the last block first using an iv of zero */
- memset(ctx->iv, 0, AES_BLOCK_SIZE);
- if (!ctx->hw->cipher(ctx, pt_last.c, in + residue, AES_BLOCK_SIZE))
+ memset(ctx->iv, 0, CTS_BLOCK_SIZE);
+ if (!ctx->hw->cipher(ctx, pt_last.c, in + residue, CTS_BLOCK_SIZE))
return 0;
/*
@@ -166,26 +169,29 @@ static size_t cts128_cs1_decrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
* of the partial second last block.
*/
memcpy(ct_mid.c, in, residue);
- memcpy(ct_mid.c + residue, pt_last.c + residue, AES_BLOCK_SIZE - residue);
+ memcpy(ct_mid.c + residue, pt_last.c + residue, CTS_BLOCK_SIZE - residue);
/*
* Restore the last partial ciphertext block.
* Now that we have the cipher text of the second last block, apply
* that to the partial plaintext end block. We have already decrypted the
* block using an IV of zero. For decryption the IV is just XORed after
- * doing an AES block - so just XOR in the cipher text.
+ * doing an Cipher CBC block - so just XOR in the cipher text.
*/
- do_xor(ct_mid.c, pt_last.c, residue, out + AES_BLOCK_SIZE);
+ do_xor(ct_mid.c, pt_last.c, residue, out + CTS_BLOCK_SIZE);
/* Restore the iv needed by the second last block */
- memcpy(ctx->iv, mid_iv.c, AES_BLOCK_SIZE);
+ memcpy(ctx->iv, mid_iv.c, CTS_BLOCK_SIZE);
+
/*
* Decrypt the second last plaintext block now that we have rebuilt the
* ciphertext.
*/
- if (!ctx->hw->cipher(ctx, out, ct_mid.c, AES_BLOCK_SIZE))
+ if (!ctx->hw->cipher(ctx, out, ct_mid.c, CTS_BLOCK_SIZE))
return 0;
- return len + AES_BLOCK_SIZE + residue;
+ /* The returned iv is the C(n) block */
+ memcpy(ctx->iv, cn.c, CTS_BLOCK_SIZE);
+ return len + CTS_BLOCK_SIZE + residue;
}
static size_t cts128_cs3_encrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
@@ -194,12 +200,16 @@ static size_t cts128_cs3_encrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
aligned_16bytes tmp_in;
size_t residue;
- if (len <= AES_BLOCK_SIZE) /* CS3 requires 2 blocks */
+ if (len < CTS_BLOCK_SIZE) /* CS3 requires at least one block */
return 0;
- residue = len % AES_BLOCK_SIZE;
+ /* If we only have one block then just process the aligned block */
+ if (len == CTS_BLOCK_SIZE)
+ return ctx->hw->cipher(ctx, out, in, len) ? len : 0;
+
+ residue = len % CTS_BLOCK_SIZE;
if (residue == 0)
- residue = AES_BLOCK_SIZE;
+ residue = CTS_BLOCK_SIZE;
len -= residue;
if (!ctx->hw->cipher(ctx, out, in, len))
@@ -210,8 +220,8 @@ static size_t cts128_cs3_encrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
memset(tmp_in.c, 0, sizeof(tmp_in));
memcpy(tmp_in.c, in, residue);
- memcpy(out, out - AES_BLOCK_SIZE, residue);
- if (!ctx->hw->cipher(ctx, out - AES_BLOCK_SIZE, tmp_in.c, AES_BLOCK_SIZE))
+ memcpy(out, out - CTS_BLOCK_SIZE, residue);
+ if (!ctx->hw->cipher(ctx, out - CTS_BLOCK_SIZE, tmp_in.c, CTS_BLOCK_SIZE))
return 0;
return len + residue;
}
@@ -227,17 +237,21 @@ static size_t cts128_cs3_encrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
static size_t cts128_cs3_decrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
unsigned char *out, size_t len)
{
- aligned_16bytes mid_iv, ct_mid, pt_last;
+ aligned_16bytes mid_iv, ct_mid, cn, pt_last;
size_t residue;
- if (len <= AES_BLOCK_SIZE) /* CS3 requires 2 blocks */
+ if (len < CTS_BLOCK_SIZE) /* CS3 requires at least one block */
return 0;
+ /* If we only have one block then just process the aligned block */
+ if (len == CTS_BLOCK_SIZE)
+ return ctx->hw->cipher(ctx, out, in, len) ? len : 0;
+
/* Process blocks at the start - but leave the last 2 blocks */
- residue = len % AES_BLOCK_SIZE;
+ residue = len % CTS_BLOCK_SIZE;
if (residue == 0)
- residue = AES_BLOCK_SIZE;
- len -= AES_BLOCK_SIZE + residue;
+ residue = CTS_BLOCK_SIZE;
+ len -= CTS_BLOCK_SIZE + residue;
if (len > 0) {
if (!ctx->hw->cipher(ctx, out, in, len))
@@ -246,11 +260,13 @@ static size_t cts128_cs3_decrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
out += len;
}
/* Save the iv that will be used by the second last block */
- memcpy(mid_iv.c, ctx->iv, AES_BLOCK_SIZE);
+ memcpy(mid_iv.c, ctx->iv, CTS_BLOCK_SIZE);
+ /* Save the C(n) block : For CS3 it is C(1)||...||C(n-2)||C(n)||C(n-1)* */
+ memcpy(cn.c, in, CTS_BLOCK_SIZE);
- /* Decrypt the Cn block first using an iv of zero */
- memset(ctx->iv, 0, AES_BLOCK_SIZE);
- if (!ctx->hw->cipher(ctx, pt_last.c, in, AES_BLOCK_SIZE))
+ /* Decrypt the C(n) block first using an iv of zero */
+ memset(ctx->iv, 0, CTS_BLOCK_SIZE);
+ if (!ctx->hw->cipher(ctx, pt_last.c, in, CTS_BLOCK_SIZE))
return 0;
/*
@@ -258,9 +274,9 @@ static size_t cts128_cs3_decrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
* the decrypted C(n) block + replace the start with the ciphertext bytes
* of the partial last block.
*/
- memcpy(ct_mid.c, in + AES_BLOCK_SIZE, residue);
- if (residue != AES_BLOCK_SIZE)
- memcpy(ct_mid.c + residue, pt_last.c + residue, AES_BLOCK_SIZE - residue);
+ memcpy(ct_mid.c, in + CTS_BLOCK_SIZE, residue);
+ if (residue != CTS_BLOCK_SIZE)
+ memcpy(ct_mid.c + residue, pt_last.c + residue, CTS_BLOCK_SIZE - residue);
/*
* Restore the last partial ciphertext block.
* Now that we have the cipher text of the second last block, apply
@@ -268,24 +284,26 @@ static size_t cts128_cs3_decrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
* block using an IV of zero. For decryption the IV is just XORed after
* doing an AES block - so just XOR in the ciphertext.
*/
- do_xor(ct_mid.c, pt_last.c, residue, out + AES_BLOCK_SIZE);
+ do_xor(ct_mid.c, pt_last.c, residue, out + CTS_BLOCK_SIZE);
/* Restore the iv needed by the second last block */
- memcpy(ctx->iv, mid_iv.c, AES_BLOCK_SIZE);
+ memcpy(ctx->iv, mid_iv.c, CTS_BLOCK_SIZE);
/*
* Decrypt the second last plaintext block now that we have rebuilt the
* ciphertext.
*/
- if (!ctx->hw->cipher(ctx, out, ct_mid.c, AES_BLOCK_SIZE))
+ if (!ctx->hw->cipher(ctx, out, ct_mid.c, CTS_BLOCK_SIZE))
return 0;
- return len + AES_BLOCK_SIZE + residue;
+ /* The returned iv is the C(n) block */
+ memcpy(ctx->iv, cn.c, CTS_BLOCK_SIZE);
+ return len + CTS_BLOCK_SIZE + residue;
}
static size_t cts128_cs2_encrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
unsigned char *out, size_t len)
{
- if (len % AES_BLOCK_SIZE == 0) {
+ if (len % CTS_BLOCK_SIZE == 0) {
/* If there are no partial blocks then it is the same as CBC mode */
if (!ctx->hw->cipher(ctx, out, in, len))
return 0;
@@ -298,7 +316,7 @@ static size_t cts128_cs2_encrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
static size_t cts128_cs2_decrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
unsigned char *out, size_t len)
{
- if (len % AES_BLOCK_SIZE == 0) {
+ if (len % CTS_BLOCK_SIZE == 0) {
/* If there are no partial blocks then it is the same as CBC mode */
if (!ctx->hw->cipher(ctx, out, in, len))
return 0;
@@ -308,14 +326,14 @@ static size_t cts128_cs2_decrypt(PROV_CIPHER_CTX *ctx, const unsigned char *in,
return cts128_cs3_decrypt(ctx, in, out, len);
}
-int ossl_aes_cbc_cts_block_update(void *vctx, unsigned char *out, size_t *outl,
- size_t outsize, const unsigned char *in,
- size_t inl)
+int ossl_cipher_cbc_cts_block_update(void *vctx, unsigned char *out, size_t *outl,
+ size_t outsize, const unsigned char *in,
+ size_t inl)
{
PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
size_t sz = 0;
- if (inl < AES_BLOCK_SIZE) /* There must be at least one block for CTS mode */
+ if (inl < CTS_BLOCK_SIZE) /* There must be at least one block for CTS mode */
return 0;
if (outsize < inl)
return 0;
@@ -353,8 +371,8 @@ int ossl_aes_cbc_cts_block_update(void *vctx, unsigned char *out, size_t *outl,
return 1;
}
-int ossl_aes_cbc_cts_block_final(void *vctx, unsigned char *out, size_t *outl,
- size_t outsize)
+int ossl_cipher_cbc_cts_block_final(void *vctx, unsigned char *out, size_t *outl,
+ size_t outsize)
{
*outl = 0;
return 1;
diff --git a/providers/implementations/ciphers/cipher_cts.h b/providers/implementations/ciphers/cipher_cts.h
new file mode 100644
index 0000000000..9473fbde88
--- /dev/null
+++ b/providers/implementations/ciphers/cipher_cts.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include "crypto/evp.h"
+
+/* NOTE: The underlying block cipher is CBC so we reuse most of the code */
+#define IMPLEMENT_cts_cipher(alg, UCALG, lcmode, UCMODE, flags, kbits, \
+ blkbits, ivbits, typ) \
+static OSSL_FUNC_cipher_get_params_fn alg##_##kbits##_##lcmode##_get_params; \
+static int alg##_cts_##kbits##_##lcmode##_get_params(OSSL_PARAM params[]) \
+{ \
+ return ossl_cipher_generic_get_params(params, EVP_CIPH_##UCMODE##_MODE, \
+ flags, kbits, blkbits, ivbits); \
+} \
+const OSSL_DISPATCH ossl_##alg##kbits##lcmode##_cts_functions[] = { \
+ { OSSL_FUNC_CIPHER_NEWCTX, \
+ (void (*)(void)) alg##_##kbits##_##lcmode##_newctx }, \
+ { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void)) alg##_freectx }, \
+ { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void)) alg##_dupctx }, \
+ { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void)) alg##_cbc_cts_einit }, \
+ { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void)) alg##_cbc_cts_dinit }, \
+ { OSSL_FUNC_CIPHER_UPDATE, \
+ (void (*)(void)) ossl_cipher_cbc_cts_block_update }, \
+ { OSSL_FUNC_CIPHER_FINAL, \
+ (void (*)(void)) ossl_cipher_cbc_cts_block_final }, \
+ { OSSL_FUNC_CIPHER_CIPHER, (void (*)(void))ossl_cipher_generic_cipher }, \
+ { OSSL_FUNC_CIPHER_GET_PARAMS, \
+ (void (*)(void)) alg##_cts_##kbits##_##lcmode##_get_params }, \
+ { OSSL_FUNC_CIPHER_GETTABLE_PARAMS, \
+ (void (*)(void))ossl_cipher_generic_gettable_params }, \
+ { OSSL_FUNC_CIPHER_GET_CTX_PARAMS, \
+ (void (*)(void)) alg##_cbc_cts_get_ctx_params }, \
+ { OSSL_FUNC_CIPHER_SET_CTX_PARAMS, \
+ (void (*)(void)) alg##_cbc_cts_set_ctx_params }, \
+ { OSSL_FUNC_CIPHER_GETTABLE_CTX_PARAMS, \
+ (void (*)(void)) alg##_cbc_cts_gettable_ctx_params }, \
+ { OSSL_FUNC_CIPHER_SETTABLE_CTX_PARAMS, \
+ (void (*)(void)) alg##_cbc_cts_settable_ctx_params }, \
+ { 0, NULL } \
+};
+
+OSSL_FUNC_cipher_update_fn ossl_cipher_cbc_cts_block_update;
+OSSL_FUNC_cipher_final_fn ossl_cipher_cbc_cts_block_final;
+
+const char *ossl_cipher_cbc_cts_mode_id2name(unsigned int id);
+int ossl_cipher_cbc_cts_mode_name2id(const char *name);
diff --git a/providers/implementations/include/prov/implementations.h b/providers/implementations/include/prov/implementations.h
index c80b0dcfa3..8bdd491d0d 100644
--- a/providers/implementations/include/prov/implementations.h
+++ b/providers/implementations/include/prov/implementations.h
@@ -129,6 +129,9 @@ extern const OSSL_DISPATCH ossl_camellia128ecb_functions[];
extern const OSSL_DISPATCH ossl_camellia256cbc_functions[];
extern const OSSL_DISPATCH ossl_camellia192cbc_functions[];
extern const OSSL_DISPATCH ossl_camellia128cbc_functions[];
+extern const OSSL_DISPATCH ossl_camellia256cbc_cts_functions[];
+extern const OSSL_DISPATCH ossl_camellia192cbc_cts_functions[];
+extern const OSSL_DISPATCH ossl_camellia128cbc_cts_functions[];
extern const OSSL_DISPATCH ossl_camellia256ofb_functions[];
extern const OSSL_DISPATCH ossl_camellia192ofb_functions[];
extern const OSSL_DISPATCH ossl_camellia128ofb_functions[];
diff --git a/providers/implementations/include/prov/names.h b/providers/implementations/include/prov/names.h
index b05776e4f6..e0dbb69a9d 100644
--- a/providers/implementations/include/prov/names.h
+++ b/providers/implementations/include/prov/names.h
@@ -130,6 +130,9 @@
#define PROV_NAMES_CAMELLIA_256_CBC "CAMELLIA-256-CBC:CAMELLIA256:1.2.392.200011.61.1.1.1.4"
#define PROV_NAMES_CAMELLIA_192_CBC "CAMELLIA-192-CBC:CAMELLIA192:1.2.392.200011.61.1.1.1.3"
#define PROV_NAMES_CAMELLIA_128_CBC "CAMELLIA-128-CBC:CAMELLIA128:1.2.392.200011.61.1.1.1.2"
+#define PROV_NAMES_CAMELLIA_256_CBC_CTS "CAMELLIA-256-CBC-CTS"
+#define PROV_NAMES_CAMELLIA_192_CBC_CTS "CAMELLIA-192-CBC-CTS"
+#define PROV_NAMES_CAMELLIA_128_CBC_CTS "CAMELLIA-128-CBC-CTS"
#define PROV_NAMES_CAMELLIA_256_OFB "CAMELLIA-256-OFB:0.3.4401.5.3.1.9.43"
#define PROV_NAMES_CAMELLIA_192_OFB "CAMELLIA-192-OFB:0.3.4401.5.3.1.9.23"
#define PROV_NAMES_CAMELLIA_128_OFB "CAMELLIA-128-OFB:0.3.4401.5.3.1.9.3"
diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t
index 96fc394fca..7ae546e1d7 100644
--- a/test/recipes/30-test_evp.t
+++ b/test/recipes/30-test_evp.t
@@ -86,6 +86,7 @@ my @defltfiles = qw(
evpciph_aria.txt
evpciph_bf.txt
evpciph_camellia.txt
+ evpciph_camellia_cts.txt
evpciph_cast5.txt
evpciph_chacha.txt
evpciph_des.txt
diff --git a/test/recipes/30-test_evp_data/evpciph_aes_cts.txt b/test/recipes/30-test_evp_data/evpciph_aes_cts.txt
index 0c22e9d905..106eec403f 100644
--- a/test/recipes/30-test_evp_data/evpciph_aes_cts.txt
+++ b/test/recipes/30-test_evp_data/evpciph_aes_cts.txt
@@ -48,6 +48,7 @@ Key = 636869636b656e207465726979616b69
IV = 00000000000000000000000000000000
Plaintext = 4920776f756c64206c696b652074686520
Ciphertext = 97c6353568f2bf8cb4d8a580362da7ff7f
+NextIV = c6353568f2bf8cb4d8a580362da7ff7f
# 31 bytes input
Cipher = AES-128-CBC-CTS
@@ -56,6 +57,7 @@ Key = 636869636b656e207465726979616b69
IV = 00000000000000000000000000000000
Plaintext = 4920776f756c64206c696b65207468652047656e6572616c20476175277320
Ciphertext = 97687268d6ecccc0c07b25e25ecfe5fc00783e0efdb2c1d445d4c8eff7ed22
+NextIV = fc00783e0efdb2c1d445d4c8eff7ed22
# 32 bytes input
Cipher = AES-128-CBC-CTS
@@ -64,6 +66,7 @@ Key = 636869636b656e207465726979616b69
IV = 00000000000000000000000000000000
Plaintext = 4920776f756c64206c696b65207468652047656e6572616c2047617527732043
Ciphertext = 97687268d6ecccc0c07b25e25ecfe58439312523a78662d5be7fcbcc98ebf5a8
+NextIV = 39312523a78662d5be7fcbcc98ebf5a8
# 47 bytes input
Cipher = AES-128-CBC-CTS
@@ -71,6 +74,7 @@ Key = 636869636b656e207465726979616b69
IV = 00000000000000000000000000000000
Plaintext = 4920776f756c64206c696b65207468652047656e6572616c20476175277320436869636b656e2c20706c656173652c
Ciphertext = 97687268d6ecccc0c07b25e25ecfe58439312523a78662d5be7fcbcc98ebf5b3fffd940c16a18c1b5549d2f838029e
+NextIV = b3fffd940c16a18c1b5549d2f838029e
# 64 bytes input (CS1 is equivalent to CBC when the last block in full)
Cipher = AES-128-CBC-CTS
@@ -79,6 +83,7 @@ Key = 636869636b656e207465726979616b69
IV = 00000000000000000000000000000000
Plaintext = 4920776f756c64206c696b65207468652047656e6572616c20476175277320436869636b656e2c20706c656173652c20616e6420776f6e746f6e20736f75702e
Ciphertext = 97687268d6ecccc0c07b25e25ecfe58439312523a78662d5be7fcbcc98ebf5a89dad8bbb96c4cdc03bc103e1a194bbd84807efe836ee89a526730dbc2f7bc840
+NextIV = 4807efe836ee89a526730dbc2f7bc840
#-------------------------------------------------------------------------------
# Generated test values using an IV.
@@ -159,6 +164,7 @@ Key = 636869636b656e207465726979616b69
IV = 00000000000000000000000000000000
Plaintext = 4920776f756c64206c696b652074686520
Ciphertext = c6353568f2bf8cb4d8a580362da7ff7f97
+NextIV = c6353568f2bf8cb4d8a580362da7ff7f
# 31 bytes input (For partial blocks the output should match CS3)
Cipher = AES-128-CBC-CTS
@@ -167,6 +173,7 @@ Key = 636869636b656e207465726979616b69
IV = 00000000000000000000000000000000
Plaintext = 4920776f756c64206c696b65207468652047656e6572616c20476175277320
Ciphertext = fc00783e0efdb2c1d445d4c8eff7ed2297687268d6ecccc0c07b25e25ecfe5
+NextIV = fc00783e0efdb2c1d445d4c8eff7ed22
# 32 bytes input (Aligned blocks should match normal CBC mode)
Cipher = AES-128-CBC-CTS
@@ -175,6 +182,7 @@ Key = 636869636b656e207465726979616b69
IV = 00000000000000000000000000000000
Plaintext = 4920776f756c64206c696b65207468652047656e6572616c2047617527732043
Ciphertext = 97687268d6ecccc0c07b25e25ecfe58439312523a78662d5be7fcbcc98ebf5a8
+NextIV = 39312523a78662d5be7fcbcc98ebf5a8
# 47 bytes input
Cipher = AES-128-CBC-CTS
@@ -183,6 +191,7 @@ Key = 636869636b656e207465726979616b69
IV = 00000000000000000000000000000000
Plaintext = 4920776f756c64206c696b65207468652047656e6572616c20476175277320436869636b656e2c20706c656173652c
Ciphertext = 97687268d6ecccc0c07b25e25ecfe584b3fffd940c16a18c1b5549d2f838029e39312523a78662d5be7fcbcc98ebf5
+NextIV = b3fffd940c16a18c1b5549d2f838029e
# 64 bytes input (CS2 is equivalent to CBC when the last block in full)
Cipher = AES-128-CBC-CTS
@@ -191,6 +200,7 @@ Key = 636869636b656e207465726979616b69
IV = 00000000000000000000000000000000
Plaintext = 4920776f756c64206c696b65207468652047656e6572616c20476175277320436869636b656e2c20706c656173652c20616e6420776f6e746f6e20736f75702e
Ciphertext = 97687268d6ecccc0c07b25e25ecfe58439312523a78662d5be7fcbcc98ebf5a89dad8bbb96c4cdc03bc103e1a194bbd84807efe836ee89a526730dbc2f7bc840
+NextIV = 4807efe836ee89a526730dbc2f7bc840
# Generated test values using an IV.
@@ -236,6 +246,7 @@ Key = 636869636b656e207465726979616b69
IV = 00000000000000000000000000000000
Plaintext = 4920776f756c64206c696b652074686520
Ciphertext = c6353568f2bf8cb4d8a580362da7ff7f97
+NextIV = c6353568f2bf8cb4d8a580362da7ff7f
# 31 bytes input
Cipher = AES-128-CBC-CTS
@@ -244,6 +255,7 @@ Key = 636869636b656e207465726979616b69
IV = 00000000000000000000000000000000
Plaintext = 4920776f756c64206c696b65207468652047656e6572616c20476175277320
Ciphertext = fc00783e0efdb2c1d445d4c8eff7ed2297687268d6ecccc0c07b25e25ecfe5
+NextIV = fc00783e0efdb2c1d445d4c8eff7ed22
# 32 bytes input (CS3 always swaps the last 2 byte blocks - so it is not equivalent to CBC for a full block)
Cipher = AES-128-CBC-CTS
@@ -252,6 +264,7 @@ Key = 636869636b656e207465726979616b69
IV = 00000000000000000000000000000000
Plaintext = 4920776f756c64206c696b65207468652047656e6572616c2047617527732043
Ciphertext = 39312523a78662d5be7fcbcc98ebf5a897687268d6ecccc0c07b25e25ecfe584
+NextIV = 39312523a78662d5be7fcbcc98ebf5a8
# 47 bytes input
Cipher = AES-128-CBC-CTS
@@ -260,6 +273,7 @@ Key = 636869636b656e207465726979616b69
IV = 00000000000000000000000000000000
Plaintext = 4920776f756c64206c696b65207468652047656e6572616c20476175277320436869636b656e2c20706c656173652c
Ciphertext = 97687268d6ecccc0c07b25e25ecfe584b3fffd940c16a18c1b5549d2f838029e39312523a78662d5be7fcbcc98ebf5
+NextIV = b3fffd940c16a18c1b5549d2f838029e
# 48 bytes input
Cipher = AES-128-CBC-CTS
@@ -268,6 +282,7 @@ Key = 636869636b656e207465726979616b69
IV = 00000000000000000000000000000000
Plaintext = 4920776f756c64206c696b65207468652047656e6572616c20476175277320436869636b656e2c20706c656173652c20
Ciphertext = 97687268d6ecccc0c07b25e25ecfe5849dad8bbb96c4cdc03bc103e1a194bbd839312523a78662d5be7fcbcc98ebf5a8
+NextIV = 9dad8bbb96c4cdc03bc103e1a194bbd8
# 64 bytes input (CS3 always swaps the last 2 byte blocks - so it is not equivalent to CBC for a full block)
Cipher = AES-128-CBC-CTS
@@ -344,11 +359,32 @@ IV = 00000000000000000000000000000000
Plaintext = 0102030405060708090A0B0C0D0E0F
Result = CIPHERUPDATE_ERROR
-# 16 bytes should fail for CS3 (since it always needs 2 blocks).
+# 16 bytes input
+Cipher = AES-128-CBC
+Key = 636869636b656e207465726979616b69
+IV = 00000000000000000000000000000000
+Plaintext = 0102030405060708090A0B0C0D0E0F00
+Ciphertext = 011ca8de3bd20ebc2f8701d56dcf768e
+
+# 16 bytes with CS3 should return the same as plain CBC mode.
+Cipher = AES-128-CBC-CTS
+CTSMode = CS1
+Key = 636869636b656e207465726979616b69
+IV = 00000000000000000000000000000000
+Plaintext = 0102030405060708090A0B0C0D0E0F00
+Ciphertext = 011ca8de3bd20ebc2f8701d56dcf768e
+
+Cipher = AES-128-CBC-CTS
+CTSMode = CS2
+Key = 636869636b656e207465726979616b69
+IV = 00000000000000000000000000000000
+Plaintext = 0102030405060708090A0B0C0D0E0F00
+Ciphertext = 011ca8de3bd20ebc2f8701d56dcf768e
+
Cipher = AES-128-CBC-CTS
CTSMode = CS3
Key = 636869636b656e207465726979616b69
IV = 00000000000000000000000000000000
Plaintext = 0102030405060708090A0B0C0D0E0F00
-Result = CIPHERUPDATE_ERROR
+Ciphertext = 011ca8de3bd20ebc2f8701d56dcf768e
diff --git a/test/recipes/30-test_evp_data/evpciph_camellia_cts.txt b/test/recipes/30-test_evp_data/evpciph_camellia_cts.txt
new file mode 100644
index 0000000000..4bc698e3ca
--- /dev/null
+++ b/test/recipes/30-test_evp_data/evpciph_camellia_cts.txt
@@ -0,0 +1,141 @@
+#
+# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+Title = Camellia CTS tests from RFC6803
+
+# The encryption test vectors in RFC6803 specify the base_key,
+# not the derived encryption key.
+# The encryption key was manually derived using:
+# ke = KBKDF(mac = CMAC, mode = FEEDBACK, base_key,
+# salt = 0000000 || usage || AA,
+# seed = 00000000000000000000000000000000)
+# NOTE: that the usage was not specified in the test vectors,
+# but is listed here in https://www.rfc-editor.org/errata_search.php?rfc=6803
+#
+# e.g: openssl kdf -cipher CAMELLIA-128-CBC
+# -keylen 16
+# -kdfopt hexkey:1DC46A8D763F4F93742BCBA3387576C3
+# -kdfopt hexsalt:00000000AA
+# -kdfopt mode:FEEDBACK
+# -kdfopt hexseed:00000000000000000000000000000000
+# -mac CMAC
+# KBKDF
+#
+# The ciphertext result also contains a MAC result so this was also manually stripped from the test data.
+# The random confounder is also prepended to the plaintext.
+#
+
+# 128-bit Camellia key: 1DC46A8D763F4F93742BCBA3387576C3
+# Key usage: 0
+# Random confounder: B69822A19A6B09C0EBC8557D1F1B6C0A
+# Plaintext: (empty)
+Cipher = CAMELLIA-128-CBC-CTS
+CTSMode = CS3
+Key = E99B82B36C4AE8EA19E95DFA9EDE882C
+IV = 00000000000000000000000000000000
+Plaintext = B69822A19A6B09C0EBC8557D1F1B6C0A
+Ciphertext = C466F1871069921EDB7C6FDE244A52DB
+
+# 128-bit Camellia key: 5027BC231D0F3A9D23333F1CA6FDBE7C
+# Key usage: 1
+# Random confounder: 6F2FC3C2A166FD8898967A83DE9596D9
+# Plaintext: 1 (31)
+Cipher = CAMELLIA-128-CBC-CTS
+CTSMode = CS3
+Key = A7EDCD5397EA6D12B0AFF4CB8DAA57AD
+IV = 00000000000000000000000000000000
+Plaintext = 6F2FC3C2A166FD8898967A83DE9596D931
+Ciphertext = 842D21FD950311C0DD464A3F4BE8D6DA88
+
+# 128-bit Camellia key: A1BB61E805F9BA6DDE8FDBDDC05CDEA0
+# Key usage: 2
+# Random confounder: A5B4A71E077AEEF93C8763C18FDB1F10
+# Plaintext: 9 bytesss (392062797465737373)
+Cipher = CAMELLIA-128-CBC-CTS
+CTSMode = CS3
+Key = DDE42ECA7CD9863FC3CE89CBC94362D7
+IV = 00000000000000000000000000000000
+Plaintext = A5B4A71E077AEEF93C8763C18FDB1F10392062797465737373
+Ciphertext = 619FF072E36286FF0A28DEB3A352EC0D0EDF5C5160D663C901
+
+# 128-bit Camellia key: 2CA27A5FAF5532244506434E1CEF6676
+# Key usage: 3
+# Random confounder: 19FEE40D810C524B5B22F01874C693DA
+# Plaintext: 13 bytes byte (31332062797465732062797465)
+Cipher = CAMELLIA-128-CBC-CTS
+CTSMode = CS3
+Key = C3113A258590B9AEBF721B1AF6B0CBF8
+IV = 00000000000000000000000000000000
+Plaintext = 19FEE40D810C524B5B22F01874C693DA31332062797465732062797465
+Ciphertext = B8ECA3167AE6315512E59F98A7C500205E5F63FF3BB389AF1C41A21D64
+
+# 128-bit Camellia key: 7824F8C16F83FF354C6BF7515B973F43
+# Key usage: 4
+# Random confounder: CA7A7AB4BE192DABD603506DB19C39E2
+# Plaintext: 30 bytes bytes bytes bytes byt (333020627974657320627974657320627974657320627974657320627974)
+Cipher = CAMELLIA-128-CBC-CTS
+CTSMode = CS3
+Key = 8B07EED30149916AA20DB3F5CED8AFAD
+IV = 00000000000000000000000000000000
+Plaintext = CA7A7AB4BE192DABD603506DB19C39E2333020627974657320627974657320627974657320627974657320627974
+Ciphertext = A26A3905A4FFD5816B7B1E27380D08090C8EC1F304496E1ABDCD2BDCD1DFFC660989E117A713DDBB57A4146C1587
+
+# 256-bit Camellia key: B61C86CC4E5D2757545AD423399FB7031ECAB913CBB900BD7A3C6DD8BF92015B
+# Key usage: 0
+# Random confounder: 3CBBD2B45917941067F96599BB98926C
+# Plaintext: (empty)
+Cipher = CAMELLIA-256-CBC-CTS
+CTSMode = CS3
+Key = 6CCB3F25D8AE57F4E8F6CA474BDDEFF116CE131B3F71012E756D6B1E3F70A7F1
+IV = 00000000000000000000000000000000
+Plaintext = 3CBBD2B45917941067F96599BB98926C
+Ciphertext = 03886D03310B47A6D8F06D7B94D1DD83
+
+# 256-bit Camellia key: 1B97FE0A190E2021EB30753E1B6E1E77B0754B1D684610355864104963463833
+# Key usage: 1
+# Random confounder: DEF487FCEBE6DE6346D4DA4521BBA2D2
+# Plaintext: 1 (31)
+Cipher = CAMELLIA-256-CBC-CTS
+CTSMode = CS3
+Key = E93173AA01EB3C246231DAFC7802EE32AF24851D8C7387D18CB9B2C5B7F570B8
+IV = 00000000000000000000000000000000
+Plaintext = DEF487FCEBE6DE6346D4DA4521BBA2D231
+Ciphertext = 2C9C1570133C99BF6A34BC1B0212002FD1
+
+# 256-bit Camellia key: 32164C5B434D1D1538E4CFD9BE8040FE8C4AC7ACC4B93D3314D2133668147A05
+# Key usage: 2
+# Random confounder: AD4FF904D34E555384B14100FC465F88
+# Plaintext: 9 bytesss (392062797465737373)
+Cipher = CAMELLIA-256-CBC-CTS
+CTSMode = CS3
+Key = CDA2D39A9B243FFEB56E8D5F4BD528741ECB520C62123FB040B8418B15C7D70C
+IV = 00000000000000000000000000000000
+Plaintext = AD4FF904D34E555384B14100FC465F88392062797465737373
+Ciphertext = 9C6DE75F812DE7ED0D28B2963557A115640998275B0AF51527
+
+# 256-bit Camellia key: B038B132CD8E06612267FAB7170066D88AECCBA0B744BFC60DC89BCA182D0715
+# Key usage: 3
+# Random confounder: CF9BCA6DF1144E0C0AF9B8F34C90D514
+# Plaintext: 13 bytes byte (31332062797465732062797465)
+Cipher = CAMELLIA-256-CBC-CTS
+CTSMode = CS3
+Key = CD8A10E279DADDB6901EC30BDF9873250F6EFC6A77367D74DC3EE7F74BC7774E
+IV = 00000000000000000000000000000000
+Plaintext = CF9BCA6DF1144E0C0AF9B8F34C90D51431332062797465732062797465
+Ciphertext = EEEC85A9813CDC536772AB9B42DEFC5706F726E975DDE05A87EB5406EA
+
+# 256-bit Camellia key: CCFCD349BF4C6677E86E4B02B8EAB924A546AC731CF9BF6989B996E7D6BFBBA7
+# Key usage: 4
+# Random confounder: 644DEF38DA35007275878D216855E228
+# Plaintext: 30 bytes bytes bytes bytes byt (333020627974657320627974657320627974657320627974657320627974)
+Cipher = CAMELLIA-256-CBC-CTS
+CTSMode = CS3
+Key = 1D5147F34BB001A04A68A71346E7654E0223A60D90BC2B79B4D87956D47CD42A
+IV = 00000000000000000000000000000000
+Plaintext = 644DEF38DA35007275878D216855E228333020627974657320627974657320627974657320627974657320627974
+Ciphertext = 0E44680985855F2D1F1812529CA83BFD8E349DE6FD9ADA0BAAA048D68E265FEBF34AD1255A344999AD37146887A6
More information about the openssl-commits
mailing list