cts128.c: add support for NIST "Ciphertext Stealing" proposal.

 * deviates from mentioned RFCs. Most notably it allows input to be

 * of block length and it doesn't flip the order of the last two

 * blocks. CTS is being discussed even in ECB context, but it's not

 * adopted for any known application. This implementation complies

 * with mentioned RFCs and [as such] extends CBC mode.

 * adopted for any known application. This implementation provides

 * two interfaces: one compliant with above mentioned RFCs and one

 * compliant with the NIST proposal, both extending CBC mode.

 */

size_t CRYPTO_cts128_encrypt_block(const unsigned char *in, unsigned char *out,

	return len+residue;

}

size_t CRYPTO_nistcts128_encrypt_block(const unsigned char *in, unsigned char *out,

			size_t len, const void *key,

			unsigned char ivec[16], block128_f block)

{	size_t residue, n;

	assert (in && out && key && ivec);

	if (len < 16) return 0;

	residue=len%16;

	len -= residue;

	CRYPTO_cbc128_encrypt(in,out,len,key,ivec,block);

	if (residue==0)	return len;

	in  += len;

	out += len;

	for (n=0; n<residue; ++n)

		ivec[n] ^= in[n];

	(*block)(ivec,ivec,key);

	memcpy(out-16+residue,ivec,16);

	return len+residue;

}

size_t CRYPTO_cts128_encrypt(const unsigned char *in, unsigned char *out,

			size_t len, const void *key,

			unsigned char ivec[16], cbc128_f cbc)

	return len+residue;

}

size_t CRYPTO_nistcts128_encrypt(const unsigned char *in, unsigned char *out,

			size_t len, const void *key,

			unsigned char ivec[16], cbc128_f cbc)

{	size_t residue;

	union { size_t align; unsigned char c[16]; } tmp;

	assert (in && out && key && ivec);

	if (len < 16) return 0;

	residue=len%16;

	len -= residue;

	(*cbc)(in,out,len,key,ivec,1);

	if (residue==0) return len;

	in  += len;

	out += len;

#if defined(CBC_HANDLES_TRUNCATED_IO)

	(*cbc)(in,out-16+residue,residue,key,ivec,1);

#else

	{

	size_t n;

	for (n=0; n<16; n+=sizeof(size_t))

		*(size_t *)(tmp.c+n) = 0;

	memcpy(tmp.c,in,residue);

	}

	(*cbc)(tmp.c,out-16+residue,16,key,ivec,1);

#endif

	return len+residue;

}

size_t CRYPTO_cts128_decrypt_block(const unsigned char *in, unsigned char *out,

			size_t len, const void *key,

			unsigned char ivec[16], block128_f block)

	for(residue+=16; n<residue; ++n)

		out[n] = tmp.c[n] ^ in[n];

	return len+residue-16;

	return 16+len+residue;

}

size_t CRYPTO_nistcts128_decrypt_block(const unsigned char *in, unsigned char *out,

			size_t len, const void *key,

			unsigned char ivec[16], block128_f block)

{	size_t residue, n;

	union { size_t align; unsigned char c[32]; } tmp;

	assert (in && out && key && ivec);

	if (len<16) return 0;

	residue=len%16;

	if (residue==0) {

		CRYPTO_cbc128_decrypt(in,out,len,key,ivec,block);

		return len;

	}

	len -= 16+residue;

	if (len) {

		CRYPTO_cbc128_decrypt(in,out,len,key,ivec,block);

		in  += len;

		out += len;

	}

	(*block)(in+residue,tmp.c+16,key);

	for (n=0; n<16; n+=sizeof(size_t))

		*(size_t *)(tmp.c+n) = *(size_t *)(tmp.c+16+n);

	memcpy(tmp.c,in,residue);

	(*block)(tmp.c,tmp.c,key);

	for(n=0; n<16; ++n) {

		unsigned char c = in[n];

		out[n] = tmp.c[n] ^ ivec[n];

		ivec[n] = in[n+residue];

		tmp.c[n] = c;

	}

	for(residue+=16; n<residue; ++n)

		out[n] = tmp.c[n] ^ tmp.c[n-16];

	return 16+len+residue;

}

size_t CRYPTO_cts128_decrypt(const unsigned char *in, unsigned char *out,

	(*cbc)(tmp.c,tmp.c,32,key,ivec,0);

	memcpy(out,tmp.c,16+residue);

#endif

	return len+residue;

	return 16+len+residue;

}

size_t CRYPTO_nistcts128_decrypt(const unsigned char *in, unsigned char *out,

			size_t len, const void *key,

			unsigned char ivec[16], cbc128_f cbc)

{	size_t residue, n;

	union { size_t align; unsigned char c[32]; } tmp;

	assert (in && out && key && ivec);

	if (len<16) return 0;

	residue=len%16;

	if (residue==0) {

		(*cbc)(in,out,len,key,ivec,0);

		return len;

	}

	len -= 16+residue;

	if (len) {

		(*cbc)(in,out,len,key,ivec,0);

		in  += len;

		out += len;

	}

	for (n=16; n<32; n+=sizeof(size_t))

		*(size_t *)(tmp.c+n) = 0;

	/* this places in[16] at &tmp.c[16] and decrypted block at &tmp.c[0] */

	(*cbc)(in+residue,tmp.c,16,key,tmp.c+16,0);

	memcpy(tmp.c,in,residue);

#if defined(CBC_HANDLES_TRUNCATED_IO)

	(*cbc)(tmp.c,out,16+residue,key,ivec,0);

#else

	(*cbc)(tmp.c,tmp.c,32,key,ivec,0);

	memcpy(out,tmp.c,16+residue);

#endif

	return 16+len+residue;

}

#if defined(SELFTEST)

static AES_KEY encks, decks;

void test_vector(const unsigned char *vector,size_t len)

{	unsigned char cleartext[64];

	unsigned char iv[sizeof(test_iv)];

	unsigned char ciphertext[64];

{	unsigned char iv[sizeof(test_iv)];

	unsigned char cleartext[64],ciphertext[64];

	size_t tail;

	printf("vector_%d\n",len); fflush(stdout);

		fprintf(stderr,"iv_%d mismatch\n",len), exit(4);

}

main()

void test_nistvector(const unsigned char *vector,size_t len)

{	unsigned char iv[sizeof(test_iv)];

	unsigned char cleartext[64],ciphertext[64],nistvector[64];

	size_t tail;

	printf("nistvector_%d\n",len); fflush(stdout);

	if ((tail=len%16) == 0) tail = 16;

	len -= 16 + tail;

	memcpy(nistvector,vector,len);

	/* flip two last blocks */

	memcpy(nistvector+len,vector+len+16,tail);

	memcpy(nistvector+len+tail,vector+len,16);

	len += 16 + tail;

	tail = 16;

	/* test block-based encryption */

	memcpy(iv,test_iv,sizeof(test_iv));

	CRYPTO_nistcts128_encrypt_block(test_input,ciphertext,len,&encks,iv,(block128_f)AES_encrypt);

	if (memcmp(ciphertext,nistvector,len))

		fprintf(stderr,"output_%d mismatch\n",len), exit(1);

	if (memcmp(iv,nistvector+len-tail,sizeof(iv)))

		fprintf(stderr,"iv_%d mismatch\n",len), exit(1);

	/* test block-based decryption */

	memcpy(iv,test_iv,sizeof(test_iv));

	CRYPTO_nistcts128_decrypt_block(ciphertext,cleartext,len,&decks,iv,(block128_f)AES_decrypt);

	if (memcmp(cleartext,test_input,len))

		fprintf(stderr,"input_%d mismatch\n",len), exit(2);

	if (memcmp(iv,nistvector+len-tail,sizeof(iv)))

		fprintf(stderr,"iv_%d mismatch\n",len), exit(2);

	/* test streamed encryption */

	memcpy(iv,test_iv,sizeof(test_iv));

	CRYPTO_nistcts128_encrypt(test_input,ciphertext,len,&encks,iv,(cbc128_f)AES_cbc_encrypt);

	if (memcmp(ciphertext,nistvector,len))

		fprintf(stderr,"output_%d mismatch\n",len), exit(3);

	if (memcmp(iv,nistvector+len-tail,sizeof(iv)))

		fprintf(stderr,"iv_%d mismatch\n",len), exit(3);

	/* test streamed decryption */

	memcpy(iv,test_iv,sizeof(test_iv));

	CRYPTO_nistcts128_decrypt(ciphertext,cleartext,len,&decks,iv,(cbc128_f)AES_cbc_encrypt);

	if (memcmp(cleartext,test_input,len))

		fprintf(stderr,"input_%d mismatch\n",len), exit(4);

	if (memcmp(iv,nistvector+len-tail,sizeof(iv)))

		fprintf(stderr,"iv_%d mismatch\n",len), exit(4);

}

int main()

{

	AES_set_encrypt_key(test_key,128,&encks);

	AES_set_decrypt_key(test_key,128,&decks);

	test_vector(vector_47,sizeof(vector_47));

	test_vector(vector_48,sizeof(vector_48));

	test_vector(vector_64,sizeof(vector_64));

	exit(0);

	test_nistvector(vector_17,sizeof(vector_17));

	test_nistvector(vector_31,sizeof(vector_31));

	test_nistvector(vector_32,sizeof(vector_32));

	test_nistvector(vector_47,sizeof(vector_47));

	test_nistvector(vector_48,sizeof(vector_48));

	test_nistvector(vector_64,sizeof(vector_64));

	return 0;

}

#endif

size_t CRYPTO_cts128_decrypt(const unsigned char *in, unsigned char *out,

			size_t len, const void *key,

			unsigned char ivec[16], cbc128_f cbc);

size_t CRYPTO_nistcts128_encrypt_block(const unsigned char *in, unsigned char *out,

			size_t len, const void *key,

			unsigned char ivec[16], block128_f block);

size_t CRYPTO_nistcts128_encrypt(const unsigned char *in, unsigned char *out,

			size_t len, const void *key,

			unsigned char ivec[16], cbc128_f cbc);

size_t CRYPTO_nistcts128_decrypt_block(const unsigned char *in, unsigned char *out,

			size_t len, const void *key,

			unsigned char ivec[16], block128_f block);

size_t CRYPTO_nistcts128_decrypt(const unsigned char *in, unsigned char *out,

			size_t len, const void *key,

			unsigned char ivec[16], cbc128_f cbc);