Browse Source

Add support for camellia cbc cts mode

Fixes #16276

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16286)
master
Shane Lontis 2 months ago
committed by Pauli
parent
commit
7f5a9399d2
10 changed files with 276 additions and 10 deletions
  1. +12
    -8
      doc/man3/EVP_EncryptInit.pod
  2. +2
    -0
      doc/man7/EVP_CIPHER-CAMELLIA.pod
  3. +16
    -2
      doc/man7/migration_guide.pod
  4. +3
    -0
      providers/defltprov.c
  5. +1
    -0
      providers/implementations/ciphers/cipher_camellia.c
  6. +94
    -0
      providers/implementations/ciphers/cipher_camellia_cts.inc
  7. +3
    -0
      providers/implementations/include/prov/implementations.h
  8. +3
    -0
      providers/implementations/include/prov/names.h
  9. +1
    -0
      test/recipes/30-test_evp.t
  10. +141
    -0
      test/recipes/30-test_evp_data/evpciph_camellia_cts.txt

+ 12
- 8
doc/man3/EVP_EncryptInit.pod View File

@ -738,7 +738,8 @@ that has the flag B<EVP_CIPH_FLAG_CUSTOM_ASN1> set.
=item "cts_mode" (B<OSSL_CIPHER_PARAM_CTS_MODE>) <UTF8 string>
Gets or sets the cipher text stealing mode. For all modes the output size is the
same as the input size.
same as the input size. The input length must be greater than or equal to the
block size. (The block size for AES and CAMELLIA is 16 bytes).
Valid values for the mode are:
@ -747,25 +748,28 @@ Valid values for the mode are:
=item "CS1"
The NIST variant of cipher text stealing.
For message lengths that are multiples of the block size it is equivalent to
using a "AES-CBC" cipher otherwise the second last cipher text block is a
partial block.
For input lengths that are multiples of the block size it is equivalent to
using a "AES-XXX-CBC" or "CAMELLIA-XXX-CBC" cipher otherwise the second last
cipher text block is a partial block.
=item "CS2"
For message lengths that are multiples of the block size it is equivalent to
using a "AES-CBC" cipher, otherwise it is the same as "CS3".
For input lengths that are multiples of the block size it is equivalent to
using a "AES-XXX-CBC" or "CAMELLIA-XXX-CBC" cipher, otherwise it is the same as
"CS3" mode.
=item "CS3"
The Kerberos5 variant of cipher text stealing which always swaps the last
cipher text block with the previous block (which may be a partial or full block
depending on the input length).
depending on the input length). If the input length is exactly one full block
then this is equivalent to using a "AES-XXX-CBC" or "CAMELLIA-XXX-CBC" cipher.
=back
The default is "CS1".
This is only supported for "AES-128-CBC-CTS", "AES-192-CBC-CTS" and "AES-256-CBC-CTS".
This is only supported for "AES-128-CBC-CTS", "AES-192-CBC-CTS", "AES-256-CBC-CTS",
"CAMELLIA-128-CBC-CTS", "CAMELLIA-192-CBC-CTS" and "CAMELLIA-256-CBC-CTS".
=item "tls1multi_interleave" (B<OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE>) <unsigned integer>


+ 2
- 0
doc/man7/EVP_CIPHER-CAMELLIA.pod View File

@ -16,6 +16,8 @@ The following algorithms are available in the default provider:
=item "CAMELLIA-128-CBC", "CAMELLIA-192-CBC" and "CAMELLIA-256-CBC"
=item "CAMELLIA-128-CBC-CTS", "CAMELLIA-192-CBC-CTS" and "CAMELLIA-256-CBC-CTS"
=item "CAMELLIA-128-CFB", "CAMELLIA-192-CFB", "CAMELLIA-256-CFB",
"CAMELLIA-128-CFB1", "CAMELLIA-192-CFB1", "CAMELLIA-256-CFB1",
"CAMELLIA-128-CFB8", "CAMELLIA-192-CFB8" and "CAMELLIA-256-CFB8"


+ 16
- 2
doc/man7/migration_guide.pod View File

@ -219,9 +219,10 @@ unwrapping. The algorithms are: "AES-128-WRAP-INV", "AES-192-WRAP-INV",
=item *
AES CTS cipher added to EVP layer.
CTS ciphers added to EVP layer.
The algorithms are "AES-128-CBC-CTS", "AES-192-CBC-CTS" and "AES-256-CBC-CTS".
The algorithms are "AES-128-CBC-CTS", "AES-192-CBC-CTS", "AES-256-CBC-CTS",
"CAMELLIA-128-CBC-CTS", "CAMELLIA-192-CBC-CTS" and "CAMELLIA-256-CBC-CTS".
CS1, CS2 and CS3 variants are supported.
=back
@ -1220,6 +1221,19 @@ tools, such as compiler memory and leak sanitizers or Valgrind.
=item *
CRYPTO_cts128_encrypt_block(), CRYPTO_cts128_encrypt(),
CRYPTO_cts128_decrypt_block(), CRYPTO_cts128_decrypt(),
CRYPTO_nistcts128_encrypt_block(), CRYPTO_nistcts128_encrypt(),
CRYPTO_nistcts128_decrypt_block(), CRYPTO_nistcts128_decrypt()
Use the higher level functions EVP_CipherInit_ex2(), EVP_CipherUpdate() and
EVP_CipherFinal_ex() instead.
See the "cts_mode" parameter in
L<EVP_EncryptInit(3)/Gettable and Settable EVP_CIPHER_CTX parameters>.
See L<EVP_EncryptInit(3)/EXAMPLES> for a AES-256-CBC-CTS example.
=item *
d2i_DHparams(), d2i_DHxparams(), d2i_DSAparams(), d2i_DSAPrivateKey(),
d2i_DSAPrivateKey_bio(), d2i_DSAPrivateKey_fp(), d2i_DSA_PUBKEY(),
d2i_DSA_PUBKEY_bio(), d2i_DSA_PUBKEY_fp(), d2i_DSAPublicKey(),


+ 3
- 0
providers/defltprov.c View File

@ -251,6 +251,9 @@ static const OSSL_ALGORITHM_CAPABLE deflt_ciphers[] = {
ALG(PROV_NAMES_CAMELLIA_256_CBC, ossl_camellia256cbc_functions),
ALG(PROV_NAMES_CAMELLIA_192_CBC, ossl_camellia192cbc_functions),
ALG(PROV_NAMES_CAMELLIA_128_CBC, ossl_camellia128cbc_functions),
ALG(PROV_NAMES_CAMELLIA_128_CBC_CTS, ossl_camellia128cbc_cts_functions),
ALG(PROV_NAMES_CAMELLIA_192_CBC_CTS, ossl_camellia192cbc_cts_functions),
ALG(PROV_NAMES_CAMELLIA_256_CBC_CTS, ossl_camellia256cbc_cts_functions),
ALG(PROV_NAMES_CAMELLIA_256_OFB, ossl_camellia256ofb_functions),
ALG(PROV_NAMES_CAMELLIA_192_OFB, ossl_camellia192ofb_functions),
ALG(PROV_NAMES_CAMELLIA_128_OFB, ossl_camellia128ofb_functions),


+ 1
- 0
providers/implementations/ciphers/cipher_camellia.c View File

@ -91,3 +91,4 @@ IMPLEMENT_generic_cipher(camellia, CAMELLIA, ctr, CTR, 0, 192, 8, 128, stream)
/* ossl_camellia128ctr_functions */
IMPLEMENT_generic_cipher(camellia, CAMELLIA, ctr, CTR, 0, 128, 8, 128, stream)
#include "cipher_camellia_cts.inc"

+ 94
- 0
providers/implementations/ciphers/cipher_camellia_cts.inc View File

@ -0,0 +1,94 @@
/*
* Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
/* Dispatch functions for CAMELLIA CBC CTS ciphers */
#include <openssl/proverr.h>
#include "cipher_cts.h"
#define CTS_FLAGS PROV_CIPHER_FLAG_CTS
static OSSL_FUNC_cipher_encrypt_init_fn camellia_cbc_cts_einit;
static OSSL_FUNC_cipher_decrypt_init_fn camellia_cbc_cts_dinit;
static OSSL_FUNC_cipher_get_ctx_params_fn camellia_cbc_cts_get_ctx_params;
static OSSL_FUNC_cipher_set_ctx_params_fn camellia_cbc_cts_set_ctx_params;
static OSSL_FUNC_cipher_gettable_ctx_params_fn camellia_cbc_cts_gettable_ctx_params;
static OSSL_FUNC_cipher_settable_ctx_params_fn camellia_cbc_cts_settable_ctx_params;
CIPHER_DEFAULT_GETTABLE_CTX_PARAMS_START(camellia_cbc_cts)
OSSL_PARAM_utf8_string(OSSL_CIPHER_PARAM_CTS_MODE, NULL, 0),
CIPHER_DEFAULT_GETTABLE_CTX_PARAMS_END(camellia_cbc_cts)
static int camellia_cbc_cts_einit(void *ctx, const unsigned char *key, size_t keylen,
const unsigned char *iv, size_t ivlen,
const OSSL_PARAM params[])
{
if (!ossl_cipher_generic_einit(ctx, key, keylen, iv, ivlen, NULL))
return 0;
return camellia_cbc_cts_set_ctx_params(ctx, params);
}
static int camellia_cbc_cts_dinit(void *ctx, const unsigned char *key, size_t keylen,
const unsigned char *iv, size_t ivlen,
const OSSL_PARAM params[])
{
if (!ossl_cipher_generic_dinit(ctx, key, keylen, iv, ivlen, NULL))
return 0;
return camellia_cbc_cts_set_ctx_params(ctx, params);
}
static int camellia_cbc_cts_get_ctx_params(void *vctx, OSSL_PARAM params[])
{
PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
OSSL_PARAM *p;
p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_CTS_MODE);
if (p != NULL) {
const char *name = ossl_cipher_cbc_cts_mode_id2name(ctx->cts_mode);
if (name == NULL || !OSSL_PARAM_set_utf8_string(p, name)) {
ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
return 0;
}
}
return ossl_cipher_generic_get_ctx_params(vctx, params);
}
CIPHER_DEFAULT_SETTABLE_CTX_PARAMS_START(camellia_cbc_cts)
OSSL_PARAM_utf8_string(OSSL_CIPHER_PARAM_CTS_MODE, NULL, 0),
CIPHER_DEFAULT_SETTABLE_CTX_PARAMS_END(camellia_cbc_cts)
static int camellia_cbc_cts_set_ctx_params(void *vctx, const OSSL_PARAM params[])
{
PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
const OSSL_PARAM *p;
int id;
p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_CTS_MODE);
if (p != NULL) {
if (p->data_type != OSSL_PARAM_UTF8_STRING)
goto err;
id = ossl_cipher_cbc_cts_mode_name2id(p->data);
if (id < 0)
goto err;
ctx->cts_mode = (unsigned int)id;
}
return ossl_cipher_generic_set_ctx_params(vctx, params);
err:
ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
return 0;
}
/* ossl_camellia256cbc_cts_functions */
IMPLEMENT_cts_cipher(camellia, CAMELLIA, cbc, CBC, CTS_FLAGS, 256, 128, 128, block)
/* ossl_camellia192cbc_cts_functions */
IMPLEMENT_cts_cipher(camellia, CAMELLIA, cbc, CBC, CTS_FLAGS, 192, 128, 128, block)
/* ossl_camellia128cbc_cts_functions */
IMPLEMENT_cts_cipher(camellia, CAMELLIA, cbc, CBC, CTS_FLAGS, 128, 128, 128, block)

+ 3
- 0
providers/implementations/include/prov/implementations.h View File

@ -129,6 +129,9 @@ extern const OSSL_DISPATCH ossl_camellia128ecb_functions[];
extern const OSSL_DISPATCH ossl_camellia256cbc_functions[];
extern const OSSL_DISPATCH ossl_camellia192cbc_functions[];
extern const OSSL_DISPATCH ossl_camellia128cbc_functions[];
extern const OSSL_DISPATCH ossl_camellia256cbc_cts_functions[];
extern const OSSL_DISPATCH ossl_camellia192cbc_cts_functions[];
extern const OSSL_DISPATCH ossl_camellia128cbc_cts_functions[];
extern const OSSL_DISPATCH ossl_camellia256ofb_functions[];
extern const OSSL_DISPATCH ossl_camellia192ofb_functions[];
extern const OSSL_DISPATCH ossl_camellia128ofb_functions[];


+ 3
- 0
providers/implementations/include/prov/names.h View File

@ -130,6 +130,9 @@
#define PROV_NAMES_CAMELLIA_256_CBC "CAMELLIA-256-CBC:CAMELLIA256:1.2.392.200011.61.1.1.1.4"
#define PROV_NAMES_CAMELLIA_192_CBC "CAMELLIA-192-CBC:CAMELLIA192:1.2.392.200011.61.1.1.1.3"
#define PROV_NAMES_CAMELLIA_128_CBC "CAMELLIA-128-CBC:CAMELLIA128:1.2.392.200011.61.1.1.1.2"
#define PROV_NAMES_CAMELLIA_256_CBC_CTS "CAMELLIA-256-CBC-CTS"
#define PROV_NAMES_CAMELLIA_192_CBC_CTS "CAMELLIA-192-CBC-CTS"
#define PROV_NAMES_CAMELLIA_128_CBC_CTS "CAMELLIA-128-CBC-CTS"
#define PROV_NAMES_CAMELLIA_256_OFB "CAMELLIA-256-OFB:0.3.4401.5.3.1.9.43"
#define PROV_NAMES_CAMELLIA_192_OFB "CAMELLIA-192-OFB:0.3.4401.5.3.1.9.23"
#define PROV_NAMES_CAMELLIA_128_OFB "CAMELLIA-128-OFB:0.3.4401.5.3.1.9.3"


+ 1
- 0
test/recipes/30-test_evp.t View File

@ -86,6 +86,7 @@ my @defltfiles = qw(
evpciph_aria.txt
evpciph_bf.txt
evpciph_camellia.txt
evpciph_camellia_cts.txt
evpciph_cast5.txt
evpciph_chacha.txt
evpciph_des.txt


+ 141
- 0
test/recipes/30-test_evp_data/evpciph_camellia_cts.txt View File

@ -0,0 +1,141 @@
#
# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
Title = Camellia CTS tests from RFC6803
# The encryption test vectors in RFC6803 specify the base_key,
# not the derived encryption key.
# The encryption key was manually derived using:
# ke = KBKDF(mac = CMAC, mode = FEEDBACK, base_key,
# salt = 0000000 || usage || AA,
# seed = 00000000000000000000000000000000)
# NOTE: that the usage was not specified in the test vectors,
# but is listed here in https://www.rfc-editor.org/errata_search.php?rfc=6803
#
# e.g: openssl kdf -cipher CAMELLIA-128-CBC
# -keylen 16
# -kdfopt hexkey:1DC46A8D763F4F93742BCBA3387576C3
# -kdfopt hexsalt:00000000AA
# -kdfopt mode:FEEDBACK
# -kdfopt hexseed:00000000000000000000000000000000
# -mac CMAC
# KBKDF
#
# The ciphertext result also contains a MAC result so this was also manually stripped from the test data.
# The random confounder is also prepended to the plaintext.
#
# 128-bit Camellia key: 1DC46A8D763F4F93742BCBA3387576C3
# Key usage: 0
# Random confounder: B69822A19A6B09C0EBC8557D1F1B6C0A
# Plaintext: (empty)
Cipher = CAMELLIA-128-CBC-CTS
CTSMode = CS3
Key = E99B82B36C4AE8EA19E95DFA9EDE882C
IV = 00000000000000000000000000000000
Plaintext = B69822A19A6B09C0EBC8557D1F1B6C0A
Ciphertext = C466F1871069921EDB7C6FDE244A52DB
# 128-bit Camellia key: 5027BC231D0F3A9D23333F1CA6FDBE7C
# Key usage: 1
# Random confounder: 6F2FC3C2A166FD8898967A83DE9596D9
# Plaintext: 1 (31)
Cipher = CAMELLIA-128-CBC-CTS
CTSMode = CS3
Key = A7EDCD5397EA6D12B0AFF4CB8DAA57AD
IV = 00000000000000000000000000000000
Plaintext = 6F2FC3C2A166FD8898967A83DE9596D931
Ciphertext = 842D21FD950311C0DD464A3F4BE8D6DA88
# 128-bit Camellia key: A1BB61E805F9BA6DDE8FDBDDC05CDEA0
# Key usage: 2
# Random confounder: A5B4A71E077AEEF93C8763C18FDB1F10
# Plaintext: 9 bytesss (392062797465737373)
Cipher = CAMELLIA-128-CBC-CTS
CTSMode = CS3
Key = DDE42ECA7CD9863FC3CE89CBC94362D7
IV = 00000000000000000000000000000000
Plaintext = A5B4A71E077AEEF93C8763C18FDB1F10392062797465737373
Ciphertext = 619FF072E36286FF0A28DEB3A352EC0D0EDF5C5160D663C901
# 128-bit Camellia key: 2CA27A5FAF5532244506434E1CEF6676
# Key usage: 3
# Random confounder: 19FEE40D810C524B5B22F01874C693DA
# Plaintext: 13 bytes byte (31332062797465732062797465)
Cipher = CAMELLIA-128-CBC-CTS
CTSMode = CS3
Key = C3113A258590B9AEBF721B1AF6B0CBF8
IV = 00000000000000000000000000000000
Plaintext = 19FEE40D810C524B5B22F01874C693DA31332062797465732062797465
Ciphertext = B8ECA3167AE6315512E59F98A7C500205E5F63FF3BB389AF1C41A21D64
# 128-bit Camellia key: 7824F8C16F83FF354C6BF7515B973F43
# Key usage: 4
# Random confounder: CA7A7AB4BE192DABD603506DB19C39E2
# Plaintext: 30 bytes bytes bytes bytes byt (333020627974657320627974657320627974657320627974657320627974)
Cipher = CAMELLIA-128-CBC-CTS
CTSMode = CS3
Key = 8B07EED30149916AA20DB3F5CED8AFAD
IV = 00000000000000000000000000000000
Plaintext = CA7A7AB4BE192DABD603506DB19C39E2333020627974657320627974657320627974657320627974657320627974
Ciphertext = A26A3905A4FFD5816B7B1E27380D08090C8EC1F304496E1ABDCD2BDCD1DFFC660989E117A713DDBB57A4146C1587
# 256-bit Camellia key: B61C86CC4E5D2757545AD423399FB7031ECAB913CBB900BD7A3C6DD8BF92015B
# Key usage: 0
# Random confounder: 3CBBD2B45917941067F96599BB98926C
# Plaintext: (empty)
Cipher = CAMELLIA-256-CBC-CTS
CTSMode = CS3
Key = 6CCB3F25D8AE57F4E8F6CA474BDDEFF116CE131B3F71012E756D6B1E3F70A7F1
IV = 00000000000000000000000000000000
Plaintext = 3CBBD2B45917941067F96599BB98926C
Ciphertext = 03886D03310B47A6D8F06D7B94D1DD83
# 256-bit Camellia key: 1B97FE0A190E2021EB30753E1B6E1E77B0754B1D684610355864104963463833
# Key usage: 1
# Random confounder: DEF487FCEBE6DE6346D4DA4521BBA2D2
# Plaintext: 1 (31)
Cipher = CAMELLIA-256-CBC-CTS
CTSMode = CS3
Key = E93173AA01EB3C246231DAFC7802EE32AF24851D8C7387D18CB9B2C5B7F570B8
IV = 00000000000000000000000000000000
Plaintext = DEF487FCEBE6DE6346D4DA4521BBA2D231
Ciphertext = 2C9C1570133C99BF6A34BC1B0212002FD1
# 256-bit Camellia key: 32164C5B434D1D1538E4CFD9BE8040FE8C4AC7ACC4B93D3314D2133668147A05
# Key usage: 2
# Random confounder: AD4FF904D34E555384B14100FC465F88
# Plaintext: 9 bytesss (392062797465737373)
Cipher = CAMELLIA-256-CBC-CTS
CTSMode = CS3
Key = CDA2D39A9B243FFEB56E8D5F4BD528741ECB520C62123FB040B8418B15C7D70C
IV = 00000000000000000000000000000000
Plaintext = AD4FF904D34E555384B14100FC465F88392062797465737373
Ciphertext = 9C6DE75F812DE7ED0D28B2963557A115640998275B0AF51527
# 256-bit Camellia key: B038B132CD8E06612267FAB7170066D88AECCBA0B744BFC60DC89BCA182D0715
# Key usage: 3
# Random confounder: CF9BCA6DF1144E0C0AF9B8F34C90D514
# Plaintext: 13 bytes byte (31332062797465732062797465)
Cipher = CAMELLIA-256-CBC-CTS
CTSMode = CS3
Key = CD8A10E279DADDB6901EC30BDF9873250F6EFC6A77367D74DC3EE7F74BC7774E
IV = 00000000000000000000000000000000
Plaintext = CF9BCA6DF1144E0C0AF9B8F34C90D51431332062797465732062797465
Ciphertext = EEEC85A9813CDC536772AB9B42DEFC5706F726E975DDE05A87EB5406EA
# 256-bit Camellia key: CCFCD349BF4C6677E86E4B02B8EAB924A546AC731CF9BF6989B996E7D6BFBBA7
# Key usage: 4
# Random confounder: 644DEF38DA35007275878D216855E228
# Plaintext: 30 bytes bytes bytes bytes byt (333020627974657320627974657320627974657320627974657320627974)
Cipher = CAMELLIA-256-CBC-CTS
CTSMode = CS3
Key = 1D5147F34BB001A04A68A71346E7654E0223A60D90BC2B79B4D87956D47CD42A
IV = 00000000000000000000000000000000
Plaintext = 644DEF38DA35007275878D216855E228333020627974657320627974657320627974657320627974657320627974
Ciphertext = 0E44680985855F2D1F1812529CA83BFD8E349DE6FD9ADA0BAAA048D68E265FEBF34AD1255A344999AD37146887A6

Loading…
Cancel
Save