--- /dev/null
+/*
+ * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
+ *
+ * The contents of this file constitute Original Code as defined in and are
+ * subject to the Apple Public Source License Version 1.2 (the 'License').
+ * You may not use this file except in compliance with the License. Please obtain
+ * a copy of the License at http://www.apple.com/publicsource and read it before
+ * using this file.
+ *
+ * This Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
+ * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
+ * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
+ * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
+ * specific language governing rights and limitations under the License.
+ */
+
+
+/*
+ * BlockCryptor.cpp - common context for block-oriented encryption algorithms
+ *
+ * Created March 5 2001 by dmitch
+ */
+
+#include "BlockCryptor.h"
+#include "BinaryKey.h"
+#include "AppleCSPSession.h"
+#include <security_utilities/alloc.h>
+#include <Security/cssmerr.h>
+#include <string.h>
+#include <security_utilities/debugging.h>
+#include <security_cdsa_utilities/cssmdata.h>
+
+#define BlockCryptDebug(args...) secdebug("blockCrypt", ## args)
+#define bprintf(args...) secdebug("blockCryptBuf", ## args)
+#define ioprintf(args...) secdebug("blockCryptIo", ## args)
+
+BlockCryptor::~BlockCryptor()
+{
+ if(mInBuf) {
+ memset(mInBuf, 0, mInBlockSize);
+ session().free(mInBuf);
+ mInBuf = NULL;
+ }
+ if(mChainBuf) {
+ memset(mChainBuf, 0, mInBlockSize);
+ session().free(mChainBuf);
+ mChainBuf = NULL;
+ }
+ mInBufSize = 0;
+}
+
+/*
+ * Reusable setup functions called from subclass's init.
+ * This is the general purpose one....
+ */
+void BlockCryptor::setup(
+ size_t blockSizeIn, // block size of input
+ size_t blockSizeOut, // block size of output
+ bool pkcsPad, // this class performs PKCS{5,7} padding
+ bool needsFinal, // needs final update with valid data
+ BC_Mode mode, // ECB, CBC
+ const CssmData *iv) // init vector, required for CBC
+ //Ê must be at least blockSizeIn bytes
+{
+ if(pkcsPad && needsFinal) {
+ BlockCryptDebug("BlockCryptor::setup pkcsPad && needsFinal");
+ CssmError::throwMe(CSSMERR_CSP_INTERNAL_ERROR);
+ }
+ mPkcsPadding = pkcsPad;
+ mMode = mode;
+ mNeedFinalData = needsFinal;
+
+ /* set up inBuf, all configurations */
+ if(mInBuf != NULL) {
+ /* only reuse if same size */
+ if(mInBlockSize != blockSizeIn) {
+ session().free(mInBuf);
+ mInBuf = NULL;
+ }
+ }
+ if(mInBuf == NULL) {
+ mInBuf = (uint8 *)session().malloc(blockSizeIn);
+ }
+
+ /* set up chain buf, decrypt/CBC only; skip if algorithm does its own chaining */
+ if((mMode == BCM_CBC) && !encoding() && !mCbcCapable) {
+ if(mChainBuf != NULL) {
+ /* only reuse if same size */
+ if(mInBlockSize != blockSizeIn) {
+ session().free(mChainBuf);
+ mChainBuf = NULL;
+ }
+ }
+ if(mChainBuf == NULL) {
+ mChainBuf = (uint8 *)session().malloc(blockSizeIn);
+ }
+ }
+
+ /* IV iff CBC mode, and ensure IV is big enough */
+ switch(mMode) {
+ case BCM_ECB:
+ if(iv != NULL) {
+ CssmError::throwMe(CSSMERR_CSP_INVALID_ATTR_INIT_VECTOR);
+ }
+ break;
+ case BCM_CBC:
+ if(iv == NULL) {
+ CssmError::throwMe(CSSMERR_CSP_MISSING_ATTR_INIT_VECTOR);
+ }
+ if(blockSizeIn != blockSizeOut) {
+ /* no can do, must be same block sizes */
+ CssmError::throwMe(CSSMERR_CSP_INVALID_ATTR_MODE);
+ }
+ if(iv->Length < blockSizeIn) {
+ /* not enough IV */
+ CssmError::throwMe(CSSMERR_CSP_INVALID_ATTR_INIT_VECTOR);
+ }
+ /* save IV as appropriate */
+ if(!mCbcCapable) {
+ if(encoding()) {
+ memmove(mInBuf, iv->Data, blockSizeIn);
+ }
+ else {
+ assert(mChainBuf != NULL);
+ memmove(mChainBuf, iv->Data, blockSizeIn);
+ }
+ }
+ break;
+ }
+
+ mInBlockSize = blockSizeIn;
+ mInBufSize = 0;
+ mOutBlockSize = blockSizeOut;
+ mOpStarted = false;
+}
+
+/*
+ * This one is used by simple, well-behaved algorithms which don't do their own
+ * padding and which rely on us to do everything but one-block-at-a-time
+ * encrypt and decrypt.
+ */
+void BlockCryptor::setup(
+ size_t blockSize, // block size of input and output
+ const Context &context)
+{
+ bool padEnable = false;
+ bool chainEnable = false;
+ bool ivEnable = false;
+ CssmData *iv = NULL;
+
+ /*
+ * Validate context
+ * IV optional per mode
+ * pad optional per mode
+ * Currently we ignore extraneous attributes (e.g., it's OK to pass in
+ * an IV if the mode doesn't specify it), mainly for simplifying test routines.
+ */
+ CSSM_ENCRYPT_MODE cssmMode = context.getInt(CSSM_ATTRIBUTE_MODE);
+
+ switch (cssmMode) {
+ /* no mode attr --> 0 == CSSM_ALGMODE_NONE, not currently supported */
+ case CSSM_ALGMODE_CBCPadIV8:
+ padEnable = true;
+ ivEnable = true;
+ chainEnable = true;
+ break;
+
+ case CSSM_ALGMODE_CBC_IV8:
+ ivEnable = true;
+ chainEnable = true;
+ break;
+
+ case CSSM_ALGMODE_ECB:
+ break;
+
+ case CSSM_ALGMODE_ECBPad:
+ padEnable = true;
+ break;
+
+ default:
+ errorLog1("DESContext::init: illegal mode (%d)\n", (int)cssmMode);
+ CssmError::throwMe(CSSMERR_CSP_INVALID_ATTR_MODE);
+ }
+
+ if(padEnable) {
+ /* validate padding type */
+ uint32 padding = context.getInt(CSSM_ATTRIBUTE_PADDING); // 0 ==> PADDING_NONE
+ if(blockSize == 8) {
+ switch(padding) {
+ /* backwards compatibility - used to be PKCS1, should be PKCS5 or 7 */
+ case CSSM_PADDING_PKCS7:
+ case CSSM_PADDING_PKCS5:
+ case CSSM_PADDING_PKCS1: //Êthis goes away soon
+ /* OK */
+ break;
+ default:
+ CssmError::throwMe(CSSMERR_CSP_INVALID_ATTR_PADDING);
+ }
+ }
+ else {
+ switch(padding) {
+ case CSSM_PADDING_PKCS5: // this goes away soon
+ case CSSM_PADDING_PKCS7:
+ /* OK */
+ break;
+ default:
+ CssmError::throwMe(CSSMERR_CSP_INVALID_ATTR_PADDING);
+ }
+ }
+ }
+ if(ivEnable) {
+ /* make sure there's an IV in the context of sufficient length */
+ iv = context.get<CssmData>(CSSM_ATTRIBUTE_INIT_VECTOR);
+ if(iv == NULL) {
+ CssmError::throwMe(CSSMERR_CSP_MISSING_ATTR_INIT_VECTOR);
+ }
+ if(iv->Length < blockSize) {
+ CssmError::throwMe(CSSMERR_CSP_INVALID_ATTR_INIT_VECTOR);
+ }
+ }
+ setup(blockSize,
+ blockSize,
+ padEnable,
+ false, // needsFinal
+ chainEnable ? BCM_CBC : BCM_ECB,
+ iv);
+}
+
+/*
+ * Update always leaves some data in mInBuf if:
+ * mNeedsFinalData is true, or
+ * decrypting and mPkcsPadding true.
+ * Also, we always process all of the input (except on error).
+ */
+void BlockCryptor::update(
+ void *inp,
+ size_t &inSize, // in/out
+ void *outp,
+ size_t &outSize) // in/out
+{
+ uint8 *uInp = (UInt8 *)inp;
+ uint8 *uOutp = (UInt8 *)outp;
+ size_t uInSize = inSize; // input bytes to go
+ size_t uOutSize = 0; // ouput bytes generated
+ size_t uOutLeft = outSize; // bytes remaining in outp
+ size_t toMove;
+ size_t actMoved;
+ unsigned i;
+ bool needLeftOver = mNeedFinalData || (!encoding() && mPkcsPadding);
+ bool doCbc = (mMode == BCM_CBC) && !mCbcCapable;
+
+ assert(mInBuf != NULL);
+ mOpStarted = true;
+
+ if(mInBufSize) {
+ /* attempt to fill mInBuf from inp */
+ toMove = mInBlockSize - mInBufSize;
+ if(toMove > uInSize) {
+ toMove = uInSize;
+ }
+ if(encoding() && doCbc) {
+ /* xor into last cipherblock or IV */
+ for(i=0; i<toMove; i++) {
+ mInBuf[mInBufSize + i] ^= *uInp++;
+ }
+ }
+ else {
+ /* use incoming data as is */
+ memmove(mInBuf+mInBufSize, uInp, toMove);
+ uInp += toMove;
+ }
+ uInSize -= toMove;
+ mInBufSize += toMove;
+ /*
+ * Process inBuf if it's full, but skip if no more data in uInp and
+ * inBuf might be needed (by us for unpadding on decrypt, or by
+ * subclass for anything) for a final call
+ */
+ if((mInBufSize == mInBlockSize) && !((uInSize == 0) && needLeftOver)) {
+ actMoved = uOutLeft;
+ if(encoding()) {
+ encryptBlock(mInBuf, mInBlockSize, uOutp, actMoved, false);
+ if(doCbc) {
+ /* save ciphertext for chaining next block */
+ assert(mInBlockSize == actMoved);
+ memmove(mInBuf, uOutp, mInBlockSize);
+ }
+ }
+ else {
+ decryptBlock(mInBuf, mInBlockSize, uOutp, actMoved, false);
+ if(doCbc) {
+ /* xor in last ciphertext */
+ assert(mInBlockSize == actMoved);
+ for(i=0; i<mInBlockSize; i++) {
+ uOutp[i] ^= mChainBuf[i];
+ }
+ /* save this ciphertext for next chain */
+ memmove(mChainBuf, mInBuf, mInBlockSize);
+ }
+ }
+ uOutSize += actMoved;
+ uOutp += actMoved;
+ uOutLeft -= actMoved;
+ mInBufSize = 0;
+ assert(uOutSize <= outSize);
+ }
+ } /* processing mInBuf */
+ if(uInSize == 0) {
+ /* done */
+ outSize = uOutSize;
+ ioprintf("=== BlockCryptor::update encrypt %d inSize 0x%lx outSize 0x%lx",
+ encoding() ? 1 : 0, inSize, outSize);
+ return;
+ }
+
+
+ /*
+ * en/decrypt even blocks in (remaining) inp.
+ */
+ unsigned leftOver = uInSize % mInBlockSize;
+ if((leftOver == 0) && needLeftOver) {
+ /*
+ * Even blocks coming in, but we really need to leave some data
+ * in the buffer (because the subclass asked for it, or we're decrypting
+ * with PKCS padding). Save one block for mInBuf.
+ */
+ leftOver = mInBlockSize;
+ }
+ toMove = uInSize - leftOver;
+ size_t blocks = toMove / mInBlockSize;
+ if(mMultiBlockCapable && !doCbc && (blocks != 0)) {
+ /*
+ * Optimization for algorithms that are multi-block capable and that
+ * can do their own CBC (if necessary).
+ */
+ size_t thisMove = blocks * mInBlockSize;
+ actMoved = uOutLeft;
+ if(encoding()) {
+ encryptBlock(uInp, thisMove, uOutp, actMoved, false);
+ }
+ else {
+ decryptBlock(uInp, thisMove, uOutp, actMoved, false);
+ }
+ uOutSize += actMoved;
+ uOutp += actMoved;
+ uInp += thisMove;
+ uOutLeft -= actMoved;
+ toMove -= thisMove;
+ assert(uOutSize <= outSize);
+ }
+ else if(encoding()) {
+ while(toMove) {
+ actMoved = uOutLeft;
+ if(!doCbc) {
+ /* encrypt directly from input to output */
+ encryptBlock(uInp, mInBlockSize, uOutp, actMoved, false);
+ }
+ else {
+ /* xor into last ciphertext, encrypt the result */
+ for(i=0; i<mInBlockSize; i++) {
+ mInBuf[i] ^= uInp[i];
+ }
+ encryptBlock(mInBuf, mInBlockSize, uOutp, actMoved, false);
+
+ /* save new ciphertext for next chain */
+ assert(actMoved == mInBlockSize);
+ memmove(mInBuf, uOutp, mInBlockSize);
+ }
+ uOutSize += actMoved;
+ uOutp += actMoved;
+ uInp += mInBlockSize;
+ uOutLeft -= actMoved;
+ toMove -= mInBlockSize;
+ assert(uOutSize <= outSize);
+ } /* main encrypt loop */
+
+ }
+ else {
+ /* decrypting */
+ while(toMove) {
+ actMoved = uOutLeft;
+ if(doCbc) {
+ /* save this ciphertext for chain; don't assume in != out */
+ memmove(mInBuf, uInp, mInBlockSize);
+ decryptBlock(uInp, mInBlockSize, uOutp, actMoved, false);
+
+ /* chain in previous ciphertext */
+ assert(mInBlockSize == actMoved);
+ for(i=0; i<mInBlockSize; i++) {
+ uOutp[i] ^= mChainBuf[i];
+ }
+
+ /* save current ciphertext for next block */
+ memmove(mChainBuf, mInBuf, mInBlockSize);
+ }
+ else {
+ /* ECB */
+ decryptBlock(uInp, mInBlockSize, uOutp, actMoved, false);
+ }
+ uOutSize += actMoved;
+ uOutp += actMoved;
+ uInp += mInBlockSize;
+ uOutLeft -= actMoved;
+ toMove -= mInBlockSize;
+ assert(uOutSize <= outSize);
+ } /* main decrypt loop */
+
+ }
+
+ /* leftover bytes from inp --> mInBuf */
+ if(leftOver) {
+ if(encoding() && doCbc) {
+ /* xor into last cipherblock or IV */
+ for(i=0; i<leftOver; i++) {
+ mInBuf[i] ^= *uInp++;
+ }
+ }
+ else {
+ if(mInBuf && uInp && leftOver) memmove(mInBuf, uInp, leftOver);
+ }
+ }
+
+ mInBufSize = leftOver;
+ outSize = uOutSize;
+ ioprintf("=== BlockCryptor::update encrypt %d inSize 0x%lx outSize 0x%lx",
+ encoding() ? 1 : 0, inSize, outSize);
+}
+
+void BlockCryptor::final(
+ CssmData &out)
+{
+ size_t uOutSize = 0; // ouput bytes generated
+ size_t actMoved;
+ size_t uOutLeft = out.Length; // bytes remaining in out
+ unsigned i;
+ bool doCbc = (mMode == BCM_CBC) && !mCbcCapable;
+
+ assert(mInBuf != NULL);
+ mOpStarted = true;
+ if((mInBufSize == 0) && mNeedFinalData) {
+ /* only way this could happen: no update() called (at least not with
+ * non-zero input data sizes) */
+ BlockCryptDebug("BlockCryptor::final with no mInBuf data");
+ CssmError::throwMe(CSSMERR_CSP_INPUT_LENGTH_ERROR);
+ }
+ if(encoding()) {
+ uint8 *ctext = out.Data;
+
+ if(mPkcsPadding) {
+ /*
+ * PKCS5/7 padding: pad byte = size of padding.
+ * This assertion courtesy of the limitation on the mutual
+ * exclusivity of mPkcsPadding and mNeedFinalData.
+ */
+ assert(mInBufSize < mInBlockSize);
+ size_t padSize = mInBlockSize - mInBufSize;
+ uint8 *padPtr = mInBuf + mInBufSize;
+ if(!doCbc) {
+ for(i=0; i<padSize; i++) {
+ *padPtr++ = padSize;
+ }
+ }
+ else {
+ for(i=0; i<padSize; i++) {
+ *padPtr++ ^= padSize;
+ }
+ }
+ mInBufSize = mInBlockSize;
+ } /* PKCS padding */
+
+ /*
+ * Encrypt final mInBuf. If it's not full, the BlockCryptObject better know
+ * how to pad....
+ */
+ if(mInBufSize) {
+ actMoved = uOutLeft;
+ encryptBlock(mInBuf, mInBufSize, ctext, actMoved, true);
+ uOutSize += actMoved;
+ mInBufSize = 0;
+ assert(uOutSize <= out.length());
+ }
+ out.length(uOutSize);
+ } /* encrypting */
+
+ else {
+ if(mInBufSize == 0) {
+ if(mPkcsPadding) {
+ BlockCryptDebug("BlockCryptor::final decrypt/pad with no mInBuf data");
+ CssmError::throwMe(CSSMERR_CSP_INPUT_LENGTH_ERROR);
+ }
+ else {
+ /* simple decrypt op complete */
+ ioprintf("=== BlockCryptor::final encrypt 0 outSize 0");
+ out.length(0);
+ return;
+ }
+ }
+
+ /*
+ * Decrypt - must have exactly one block of ciphertext.
+ * We trust CSPContext, and our own outputSize(), to have set up
+ * the current output buffer with enough space to handle the
+ * full size of the decrypt, even though - due to padding - we
+ * might actually pass less than that amount back to caller.
+ */
+ if(mInBufSize != mInBlockSize) {
+ BlockCryptDebug("BlockCryptor::final unaligned ciphertext");
+ CssmError::throwMe(CSSMERR_CSP_INPUT_LENGTH_ERROR);
+ }
+
+ uint8 *ptext = out.Data;
+ actMoved = uOutLeft;
+ decryptBlock(mInBuf, mInBlockSize, ptext, actMoved, true);
+ if(doCbc) {
+ /* chain in previous ciphertext one more time */
+ assert(mInBlockSize == actMoved);
+ for(i=0; i<mInBlockSize; i++) {
+ ptext[i] ^= mChainBuf[i];
+ }
+ }
+ if(mPkcsPadding) {
+ assert(actMoved == mOutBlockSize);
+
+ /* ensure integrity of padding byte(s) */
+ unsigned padSize = ptext[mOutBlockSize - 1];
+ if(padSize > mOutBlockSize) {
+ BlockCryptDebug("BlockCryptor::final malformed ciphertext (1)");
+ CssmError::throwMe(CSSM_ERRCODE_INVALID_DATA);
+ }
+ uint8 *padPtr = ptext + mOutBlockSize - padSize;
+ for(unsigned i=0; i<padSize; i++) {
+ if(*padPtr++ != padSize) {
+ BlockCryptDebug("BlockCryptor::final malformed ciphertext "
+ "(2)");
+ CssmError::throwMe(CSSM_ERRCODE_INVALID_DATA);
+ }
+ }
+ actMoved -= padSize;
+ }
+ assert(actMoved <= out.length());
+ out.length(actMoved);
+ } /* decrypting */
+ ioprintf("=== BlockCryptor::final encrypt %d outSize 0x%lx",
+ encoding() ? 1 : 0, out.Length);
+}
+
+/*
+ * These three are only valid for algorithms for which encrypting one block
+ * of plaintext always yields exactly one block of ciphertext, and vice versa
+ * for decrypt. The block sizes for plaintext and ciphertext do NOT have to be
+ * the same. Subclasses (e.g. FEED) which do not meet this criterion will have
+ * to override.
+ */
+
+void BlockCryptor::minimumProgress(
+ size_t &inSize,
+ size_t &outSize)
+{
+ /* each size = one block (including buffered input) */
+ inSize = mInBlockSize - mInBufSize;
+ if(inSize == 0) {
+ /* i.e., we're holding a whole buffer */
+ inSize++;
+ }
+ outSize = mOutBlockSize;
+ bprintf("--- BlockCryptor::minProgres inSize 0x%lx outSize 0x%lx mInBufSize 0x%lx",
+ inSize, outSize, mInBufSize);
+}
+
+size_t BlockCryptor::inputSize(
+ size_t outSize) // input for given output size
+{
+ size_t inSize;
+
+ if(outSize < mOutBlockSize) {
+ /*
+ * Sometimes CSPFullPluginSession calls us like this....in this
+ * case the legal inSize is just the remainder of the input buffer,
+ * less one byte (in other words, the max we we gobble up without
+ * producing any output).
+ */
+ inSize = mInBlockSize - mInBufSize;
+ if(inSize == 0) {
+ /* we have a full input buffer! How can this happen!? */
+ BlockCryptDebug("BlockCryptor::inputSize: HELP! zero inSize and outSize!\n");
+ }
+ }
+ else {
+ /* more-or-less normal case */
+ size_t wholeBlocks = outSize / mOutBlockSize;
+ assert(wholeBlocks >= 1);
+ inSize = (wholeBlocks * mInBlockSize) - mInBufSize;
+ if(inSize == 0) {
+ /* i.e., we're holding a whole buffer */
+ inSize++;
+ }
+ }
+ bprintf("--- BlockCryptor::inputSize inSize 0x%lx outSize 0x%lx mInBufSize 0x%lx",
+ inSize, outSize, mInBufSize);
+ return inSize;
+}
+
+size_t BlockCryptor::outputSize(
+ bool final,
+ size_t inSize /*= 0*/) // output for given input size
+{
+ size_t rawBytes = inSize + mInBufSize;
+ // huh?Êdon't round this up!
+ //size_t rawBlocks = (rawBytes + mInBlockSize - 1) / mInBlockSize;
+ size_t rawBlocks = rawBytes / mInBlockSize;
+
+ /*
+ * encrypting: always get one additional block on final() if we're padding
+ * or (we presume) the subclass is padding. Note that we
+ * truncated when calculating rawBlocks; to finish out on the
+ * final block, we (or our subclass) will either have to pad
+ * out the current partial block, or cook up a full pad block if
+ * mInBufSize is currently zero. Subclasses which pad some other
+ * way need to override this method.
+ *
+ * decrypting: outsize always <= insize
+ */
+ if(encoding() && final && (mPkcsPadding || mNeedFinalData)) {
+ rawBlocks++;
+ }
+
+ /* FIXME - optimize for needFinalData? (can squeak by with smaller outSize) */
+ size_t rtn = rawBlocks * mOutBlockSize;
+ bprintf("--- BlockCryptor::outputSize inSize 0x%lx outSize 0x%lx final %d "
+ "inBufSize 0x%lx", inSize, rtn, final, mInBufSize);
+ return rtn;
+}
+
+
+
projects / apple / security.git / blobdiff