2007-12-12 22:09:01 +01:00
|
|
|
/* Copyright (c) 2001, Matej Pfajfar.
|
2006-02-09 06:46:49 +01:00
|
|
|
* Copyright (c) 2001-2004, Roger Dingledine.
|
2007-12-12 22:09:01 +01:00
|
|
|
* Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
|
2017-03-15 21:13:17 +01:00
|
|
|
* Copyright (c) 2007-2017, The Tor Project, Inc. */
|
2003-06-30 21:18:12 +02:00
|
|
|
/* See LICENSE for licensing information */
|
|
|
|
|
2004-05-10 05:53:24 +02:00
|
|
|
/**
|
|
|
|
* \file aes.c
|
2011-11-09 04:51:59 +01:00
|
|
|
* \brief Implements a counter-mode stream cipher on top of AES.
|
2004-05-10 05:53:24 +02:00
|
|
|
**/
|
2003-06-30 21:18:12 +02:00
|
|
|
|
2004-11-14 18:21:32 +01:00
|
|
|
#include "orconfig.h"
|
2012-05-14 19:04:13 +02:00
|
|
|
|
|
|
|
#ifdef _WIN32 /*wrkard for dtls1.h >= 0.9.8m of "#include <winsock.h>"*/
|
2015-06-29 18:55:03 +02:00
|
|
|
#include <winsock2.h>
|
|
|
|
#include <ws2tcpip.h>
|
2012-05-14 19:04:13 +02:00
|
|
|
#endif
|
|
|
|
|
2005-09-23 20:50:50 +02:00
|
|
|
#include <openssl/opensslv.h>
|
2015-05-21 17:54:13 +02:00
|
|
|
#include "crypto.h"
|
|
|
|
|
|
|
|
#if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,0,0)
|
|
|
|
#error "We require OpenSSL >= 1.0.0"
|
|
|
|
#endif
|
|
|
|
|
2016-06-15 02:21:02 +02:00
|
|
|
DISABLE_GCC_WARNING(redundant-decls)
|
2016-06-15 02:14:53 +02:00
|
|
|
|
2003-06-30 21:18:12 +02:00
|
|
|
#include <assert.h>
|
|
|
|
#include <stdlib.h>
|
|
|
|
#include <string.h>
|
2011-11-21 03:20:31 +01:00
|
|
|
#include <openssl/aes.h>
|
|
|
|
#include <openssl/evp.h>
|
|
|
|
#include <openssl/engine.h>
|
2011-11-21 03:43:14 +01:00
|
|
|
#include <openssl/modes.h>
|
2016-06-15 02:14:53 +02:00
|
|
|
|
2016-06-15 02:21:02 +02:00
|
|
|
ENABLE_GCC_WARNING(redundant-decls)
|
2016-06-15 02:14:53 +02:00
|
|
|
|
2007-02-27 04:53:45 +01:00
|
|
|
#include "compat.h"
|
2003-08-12 08:45:03 +02:00
|
|
|
#include "aes.h"
|
2003-06-30 21:18:12 +02:00
|
|
|
#include "util.h"
|
2010-07-10 03:52:20 +02:00
|
|
|
#include "torlog.h"
|
2012-12-13 23:34:05 +01:00
|
|
|
#include "di_ops.h"
|
2003-06-30 21:18:12 +02:00
|
|
|
|
2011-11-21 03:20:31 +01:00
|
|
|
#ifdef ANDROID
|
|
|
|
/* Android's OpenSSL seems to have removed all of its Engine support. */
|
|
|
|
#define DISABLE_ENGINES
|
2011-11-09 04:51:59 +01:00
|
|
|
#endif
|
2007-02-27 04:53:45 +01:00
|
|
|
|
2012-03-20 18:51:11 +01:00
|
|
|
/* We have five strategies for implementing AES counter mode.
|
|
|
|
*
|
2016-09-16 17:21:33 +02:00
|
|
|
* Best with x86 and x86_64: Use EVP_aes_*_ctr() and EVP_EncryptUpdate().
|
2012-03-20 18:51:11 +01:00
|
|
|
* This is possible with OpenSSL 1.0.1, where the counter-mode implementation
|
|
|
|
* can use bit-sliced or vectorized AES or AESNI as appropriate.
|
|
|
|
*
|
|
|
|
* Otherwise: Pick the best possible AES block implementation that OpenSSL
|
|
|
|
* gives us, and the best possible counter-mode implementation, and combine
|
|
|
|
* them.
|
|
|
|
*/
|
2016-11-07 03:01:25 +01:00
|
|
|
#if OPENSSL_VERSION_NUMBER >= OPENSSL_V_NOPATCH(1,1,0)
|
|
|
|
|
|
|
|
/* With newer OpenSSL versions, the older fallback modes don't compile. So
|
|
|
|
* don't use them, even if we lack specific acceleration. */
|
|
|
|
|
|
|
|
#define USE_EVP_AES_CTR
|
|
|
|
|
|
|
|
#elif OPENSSL_VERSION_NUMBER >= OPENSSL_V_NOPATCH(1,0,1) && \
|
2012-03-20 18:51:11 +01:00
|
|
|
(defined(__i386) || defined(__i386__) || defined(_M_IX86) || \
|
|
|
|
defined(__x86_64) || defined(__x86_64__) || \
|
2017-08-24 21:32:30 +02:00
|
|
|
defined(_M_AMD64) || defined(_M_X64) || defined(__INTEL__))
|
2012-03-20 18:51:11 +01:00
|
|
|
|
|
|
|
#define USE_EVP_AES_CTR
|
|
|
|
|
2017-09-15 22:24:44 +02:00
|
|
|
#endif /* OPENSSL_VERSION_NUMBER >= OPENSSL_V_NOPATCH(1,1,0) || ... */
|
2012-03-20 18:51:11 +01:00
|
|
|
|
|
|
|
/* We have 2 strategies for getting the AES block cipher: Via OpenSSL's
|
|
|
|
* AES_encrypt function, or via OpenSSL's EVP_EncryptUpdate function.
|
2011-11-21 03:20:31 +01:00
|
|
|
*
|
|
|
|
* If there's any hardware acceleration in play, we want to be using EVP_* so
|
|
|
|
* we can get it. Otherwise, we'll want AES_*, which seems to be about 5%
|
|
|
|
* faster than indirecting through the EVP layer.
|
|
|
|
*/
|
|
|
|
|
2012-03-20 18:51:11 +01:00
|
|
|
/* We have 2 strategies for getting a plug-in counter mode: use our own, or
|
|
|
|
* use OpenSSL's.
|
2011-11-21 03:43:14 +01:00
|
|
|
*
|
|
|
|
* Here we have a counter mode that's faster than the one shipping with
|
|
|
|
* OpenSSL pre-1.0 (by about 10%!). But OpenSSL 1.0.0 added a counter mode
|
|
|
|
* implementation faster than the one here (by about 7%). So we pick which
|
2011-12-28 02:31:23 +01:00
|
|
|
* one to used based on the Openssl version above. (OpenSSL 1.0.0a fixed a
|
2012-01-10 17:13:45 +01:00
|
|
|
* critical bug in that counter mode implementation, so we need to test to
|
|
|
|
* make sure that we have a fixed version.)
|
2011-11-21 03:43:14 +01:00
|
|
|
*/
|
2007-02-27 04:53:45 +01:00
|
|
|
|
2012-03-20 18:51:11 +01:00
|
|
|
#ifdef USE_EVP_AES_CTR
|
|
|
|
|
2016-02-03 17:13:12 +01:00
|
|
|
/* We don't actually define the struct here. */
|
2012-03-20 18:51:11 +01:00
|
|
|
|
|
|
|
aes_cnt_cipher_t *
|
2016-09-16 15:51:51 +02:00
|
|
|
aes_new_cipher(const uint8_t *key, const uint8_t *iv, int key_bits)
|
2012-03-20 18:51:11 +01:00
|
|
|
{
|
2016-02-03 17:13:12 +01:00
|
|
|
EVP_CIPHER_CTX *cipher = EVP_CIPHER_CTX_new();
|
2016-09-16 15:51:51 +02:00
|
|
|
const EVP_CIPHER *c;
|
|
|
|
switch (key_bits) {
|
|
|
|
case 128: c = EVP_aes_128_ctr(); break;
|
|
|
|
case 192: c = EVP_aes_192_ctr(); break;
|
|
|
|
case 256: c = EVP_aes_256_ctr(); break;
|
|
|
|
default: tor_assert(0); // LCOV_EXCL_LINE
|
|
|
|
}
|
|
|
|
EVP_EncryptInit(cipher, c, key, iv);
|
2016-02-03 17:13:12 +01:00
|
|
|
return (aes_cnt_cipher_t *) cipher;
|
2012-03-20 18:51:11 +01:00
|
|
|
}
|
|
|
|
void
|
2016-02-03 17:13:12 +01:00
|
|
|
aes_cipher_free(aes_cnt_cipher_t *cipher_)
|
2012-03-20 18:51:11 +01:00
|
|
|
{
|
2016-02-03 17:13:12 +01:00
|
|
|
if (!cipher_)
|
2012-03-20 18:51:11 +01:00
|
|
|
return;
|
2016-02-03 17:13:12 +01:00
|
|
|
EVP_CIPHER_CTX *cipher = (EVP_CIPHER_CTX *) cipher_;
|
|
|
|
EVP_CIPHER_CTX_cleanup(cipher);
|
|
|
|
EVP_CIPHER_CTX_free(cipher);
|
2012-03-20 18:51:11 +01:00
|
|
|
}
|
|
|
|
void
|
2016-02-03 17:13:12 +01:00
|
|
|
aes_crypt_inplace(aes_cnt_cipher_t *cipher_, char *data, size_t len)
|
2012-03-20 18:51:11 +01:00
|
|
|
{
|
|
|
|
int outl;
|
2016-02-03 17:13:12 +01:00
|
|
|
EVP_CIPHER_CTX *cipher = (EVP_CIPHER_CTX *) cipher_;
|
2012-03-20 18:51:11 +01:00
|
|
|
|
|
|
|
tor_assert(len < INT_MAX);
|
|
|
|
|
2016-02-03 17:13:12 +01:00
|
|
|
EVP_EncryptUpdate(cipher, (unsigned char*)data,
|
2012-03-20 18:51:11 +01:00
|
|
|
&outl, (unsigned char*)data, (int)len);
|
|
|
|
}
|
|
|
|
int
|
|
|
|
evaluate_evp_for_aes(int force_val)
|
|
|
|
{
|
|
|
|
(void) force_val;
|
2012-09-10 16:38:22 +02:00
|
|
|
log_info(LD_CRYPTO, "This version of OpenSSL has a known-good EVP "
|
|
|
|
"counter-mode implementation. Using it.");
|
2012-03-20 18:51:11 +01:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
int
|
|
|
|
evaluate_ctr_for_aes(void)
|
|
|
|
{
|
|
|
|
return 0;
|
|
|
|
}
|
2017-09-15 22:24:44 +02:00
|
|
|
#else /* !(defined(USE_EVP_AES_CTR)) */
|
2012-03-20 18:51:11 +01:00
|
|
|
|
2003-06-30 21:18:12 +02:00
|
|
|
/*======================================================================*/
|
|
|
|
/* Interface to AES code, and counter implementation */
|
|
|
|
|
2008-02-21 10:01:32 +01:00
|
|
|
/** Implements an AES counter-mode cipher. */
|
2003-06-30 21:18:12 +02:00
|
|
|
struct aes_cnt_cipher {
|
2008-02-21 10:01:32 +01:00
|
|
|
/** This next element (however it's defined) is the AES key. */
|
2011-11-21 03:20:31 +01:00
|
|
|
union {
|
|
|
|
EVP_CIPHER_CTX evp;
|
|
|
|
AES_KEY aes;
|
|
|
|
} key;
|
2007-09-20 19:07:45 +02:00
|
|
|
|
2012-01-09 23:40:11 +01:00
|
|
|
#if !defined(WORDS_BIGENDIAN)
|
2007-09-20 19:28:07 +02:00
|
|
|
#define USING_COUNTER_VARS
|
2007-09-20 19:07:45 +02:00
|
|
|
/** These four values, together, implement a 128-bit counter, with
|
|
|
|
* counter0 as the low-order word and counter3 as the high-order word. */
|
2011-11-09 04:54:52 +01:00
|
|
|
uint32_t counter3;
|
|
|
|
uint32_t counter2;
|
|
|
|
uint32_t counter1;
|
|
|
|
uint32_t counter0;
|
2017-09-15 22:24:44 +02:00
|
|
|
#endif /* !defined(WORDS_BIGENDIAN) */
|
2007-09-20 19:07:45 +02:00
|
|
|
|
|
|
|
union {
|
|
|
|
/** The counter, in big-endian order, as bytes. */
|
2011-11-09 04:54:52 +01:00
|
|
|
uint8_t buf[16];
|
2007-09-20 19:07:45 +02:00
|
|
|
/** The counter, in big-endian order, as big-endian words. Note that
|
|
|
|
* on big-endian platforms, this is redundant with counter3...0,
|
|
|
|
* so we just use these values instead. */
|
2011-11-09 04:54:52 +01:00
|
|
|
uint32_t buf32[4];
|
2007-09-20 19:07:45 +02:00
|
|
|
} ctr_buf;
|
2011-11-09 04:57:15 +01:00
|
|
|
|
2007-09-20 19:07:45 +02:00
|
|
|
/** The encrypted value of ctr_buf. */
|
2011-11-09 04:54:52 +01:00
|
|
|
uint8_t buf[16];
|
2007-09-20 19:07:45 +02:00
|
|
|
/** Our current stream position within buf. */
|
2011-11-21 03:43:14 +01:00
|
|
|
unsigned int pos;
|
2011-11-21 03:20:31 +01:00
|
|
|
|
|
|
|
/** True iff we're using the evp implementation of this cipher. */
|
|
|
|
uint8_t using_evp;
|
2003-06-30 21:18:12 +02:00
|
|
|
};
|
|
|
|
|
2012-01-10 17:13:45 +01:00
|
|
|
/** True iff we should prefer the EVP implementation for AES, either because
|
2011-11-21 03:20:31 +01:00
|
|
|
* we're testing it or because we have hardware acceleration configured */
|
|
|
|
static int should_use_EVP = 0;
|
|
|
|
|
|
|
|
/** Check whether we should use the EVP interface for AES. If <b>force_val</b>
|
|
|
|
* is nonnegative, we use use EVP iff it is true. Otherwise, we use EVP
|
|
|
|
* if there is an engine enabled for aes-ecb. */
|
|
|
|
int
|
|
|
|
evaluate_evp_for_aes(int force_val)
|
|
|
|
{
|
|
|
|
ENGINE *e;
|
|
|
|
|
|
|
|
if (force_val >= 0) {
|
|
|
|
should_use_EVP = force_val;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
#ifdef DISABLE_ENGINES
|
|
|
|
should_use_EVP = 0;
|
|
|
|
#else
|
|
|
|
e = ENGINE_get_cipher_engine(NID_aes_128_ecb);
|
|
|
|
|
|
|
|
if (e) {
|
2012-09-04 18:32:38 +02:00
|
|
|
log_info(LD_CRYPTO, "AES engine \"%s\" found; using EVP_* functions.",
|
2011-11-21 03:20:31 +01:00
|
|
|
ENGINE_get_name(e));
|
|
|
|
should_use_EVP = 1;
|
|
|
|
} else {
|
2012-09-04 18:32:38 +02:00
|
|
|
log_info(LD_CRYPTO, "No AES engine found; using AES_* functions.");
|
2011-11-21 03:20:31 +01:00
|
|
|
should_use_EVP = 0;
|
|
|
|
}
|
2017-09-15 22:24:44 +02:00
|
|
|
#endif /* defined(DISABLE_ENGINES) */
|
2011-11-21 03:20:31 +01:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2012-01-10 17:13:45 +01:00
|
|
|
/** Test the OpenSSL counter mode implementation to see whether it has the
|
|
|
|
* counter-mode bug from OpenSSL 1.0.0. If the implementation works, then
|
|
|
|
* we will use it for future encryption/decryption operations.
|
|
|
|
*
|
|
|
|
* We can't just look at the OpenSSL version, since some distributions update
|
|
|
|
* their OpenSSL packages without changing the version number.
|
|
|
|
**/
|
2012-01-09 23:40:11 +01:00
|
|
|
int
|
|
|
|
evaluate_ctr_for_aes(void)
|
|
|
|
{
|
|
|
|
/* Result of encrypting an all-zero block with an all-zero 128-bit AES key.
|
|
|
|
* This should be the same as encrypting an all-zero block with an all-zero
|
|
|
|
* 128-bit AES key in counter mode, starting at position 0 of the stream.
|
|
|
|
*/
|
|
|
|
static const unsigned char encrypt_zero[] =
|
|
|
|
"\x66\xe9\x4b\xd4\xef\x8a\x2c\x3b\x88\x4c\xfa\x59\xca\x34\x2b\x2e";
|
|
|
|
unsigned char zero[16];
|
|
|
|
unsigned char output[16];
|
|
|
|
unsigned char ivec[16];
|
|
|
|
unsigned char ivec_tmp[16];
|
|
|
|
unsigned int pos, i;
|
|
|
|
AES_KEY key;
|
|
|
|
memset(zero, 0, sizeof(zero));
|
|
|
|
memset(ivec, 0, sizeof(ivec));
|
|
|
|
AES_set_encrypt_key(zero, 128, &key);
|
|
|
|
|
|
|
|
pos = 0;
|
|
|
|
/* Encrypting a block one byte at a time should make the error manifest
|
|
|
|
* itself for known bogus openssl versions. */
|
|
|
|
for (i=0; i<16; ++i)
|
|
|
|
AES_ctr128_encrypt(&zero[i], &output[i], 1, &key, ivec, ivec_tmp, &pos);
|
|
|
|
|
2012-12-13 23:34:05 +01:00
|
|
|
if (fast_memneq(output, encrypt_zero, 16)) {
|
2012-01-09 23:40:11 +01:00
|
|
|
/* Counter mode is buggy */
|
2016-06-16 15:50:52 +02:00
|
|
|
/* LCOV_EXCL_START */
|
2016-02-06 18:05:32 +01:00
|
|
|
log_err(LD_CRYPTO, "This OpenSSL has a buggy version of counter mode; "
|
|
|
|
"quitting tor.");
|
|
|
|
exit(1);
|
2016-06-16 15:50:52 +02:00
|
|
|
/* LCOV_EXCL_STOP */
|
2012-01-09 23:40:11 +01:00
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2007-09-20 19:28:07 +02:00
|
|
|
#if !defined(USING_COUNTER_VARS)
|
2007-09-20 19:07:45 +02:00
|
|
|
#define COUNTER(c, n) ((c)->ctr_buf.buf32[3-(n)])
|
|
|
|
#else
|
|
|
|
#define COUNTER(c, n) ((c)->counter ## n)
|
|
|
|
#endif
|
|
|
|
|
2016-09-22 14:52:42 +02:00
|
|
|
static void aes_set_key(aes_cnt_cipher_t *cipher, const uint8_t *key,
|
2012-03-20 20:35:43 +01:00
|
|
|
int key_bits);
|
2016-09-22 14:52:42 +02:00
|
|
|
static void aes_set_iv(aes_cnt_cipher_t *cipher, const uint8_t *iv);
|
2012-03-20 20:35:43 +01:00
|
|
|
|
2004-05-10 05:53:24 +02:00
|
|
|
/**
|
2012-03-20 20:35:43 +01:00
|
|
|
* Return a newly allocated counter-mode AES128 cipher implementation,
|
|
|
|
* using the 128-bit key <b>key</b> and the 128-bit IV <b>iv</b>.
|
2004-05-10 05:53:24 +02:00
|
|
|
*/
|
2003-06-30 21:18:12 +02:00
|
|
|
aes_cnt_cipher_t*
|
2016-09-16 15:51:51 +02:00
|
|
|
aes_new_cipher(const uint8_t *key, const uint8_t *iv, int bits)
|
2003-06-30 21:18:12 +02:00
|
|
|
{
|
2005-09-23 20:50:50 +02:00
|
|
|
aes_cnt_cipher_t* result = tor_malloc_zero(sizeof(aes_cnt_cipher_t));
|
2003-06-30 21:18:12 +02:00
|
|
|
|
2016-09-16 15:51:51 +02:00
|
|
|
aes_set_key(result, key, bits);
|
2012-03-20 20:35:43 +01:00
|
|
|
aes_set_iv(result, iv);
|
|
|
|
|
2003-06-30 21:18:12 +02:00
|
|
|
return result;
|
|
|
|
}
|
|
|
|
|
2004-05-10 05:53:24 +02:00
|
|
|
/** Set the key of <b>cipher</b> to <b>key</b>, which is
|
|
|
|
* <b>key_bits</b> bits long (must be 128, 192, or 256). Also resets
|
|
|
|
* the counter to 0.
|
|
|
|
*/
|
2012-03-20 20:35:43 +01:00
|
|
|
static void
|
2016-09-16 15:51:51 +02:00
|
|
|
aes_set_key(aes_cnt_cipher_t *cipher, const uint8_t *key, int key_bits)
|
2003-06-30 21:18:12 +02:00
|
|
|
{
|
2011-11-21 03:20:31 +01:00
|
|
|
if (should_use_EVP) {
|
2015-03-21 01:59:05 +01:00
|
|
|
const EVP_CIPHER *c = 0;
|
2011-11-21 03:20:31 +01:00
|
|
|
switch (key_bits) {
|
|
|
|
case 128: c = EVP_aes_128_ecb(); break;
|
|
|
|
case 192: c = EVP_aes_192_ecb(); break;
|
|
|
|
case 256: c = EVP_aes_256_ecb(); break;
|
2016-06-15 23:25:53 +02:00
|
|
|
default: tor_assert(0); // LCOV_EXCL_LINE
|
2011-11-21 03:20:31 +01:00
|
|
|
}
|
2016-09-16 15:51:51 +02:00
|
|
|
EVP_EncryptInit(&cipher->key.evp, c, key, NULL);
|
2011-11-21 03:20:31 +01:00
|
|
|
cipher->using_evp = 1;
|
|
|
|
} else {
|
2016-09-16 15:51:51 +02:00
|
|
|
AES_set_encrypt_key(key, key_bits,&cipher->key.aes);
|
2011-11-21 03:20:31 +01:00
|
|
|
cipher->using_evp = 0;
|
2005-09-27 21:39:25 +02:00
|
|
|
}
|
2011-11-21 03:43:14 +01:00
|
|
|
|
2007-09-20 19:28:07 +02:00
|
|
|
#ifdef USING_COUNTER_VARS
|
|
|
|
cipher->counter0 = 0;
|
|
|
|
cipher->counter1 = 0;
|
|
|
|
cipher->counter2 = 0;
|
|
|
|
cipher->counter3 = 0;
|
2017-09-15 22:24:44 +02:00
|
|
|
#endif /* defined(USING_COUNTER_VARS) */
|
2011-11-09 04:57:15 +01:00
|
|
|
|
2007-09-20 19:07:45 +02:00
|
|
|
memset(cipher->ctr_buf.buf, 0, sizeof(cipher->ctr_buf.buf));
|
|
|
|
|
2003-06-30 21:18:12 +02:00
|
|
|
cipher->pos = 0;
|
2011-11-21 03:43:14 +01:00
|
|
|
|
2016-02-06 18:05:32 +01:00
|
|
|
memset(cipher->buf, 0, sizeof(cipher->buf));
|
2003-06-30 21:18:12 +02:00
|
|
|
}
|
|
|
|
|
2004-05-10 05:53:24 +02:00
|
|
|
/** Release storage held by <b>cipher</b>
|
|
|
|
*/
|
2003-06-30 21:18:12 +02:00
|
|
|
void
|
2012-01-18 21:53:30 +01:00
|
|
|
aes_cipher_free(aes_cnt_cipher_t *cipher)
|
2003-06-30 21:18:12 +02:00
|
|
|
{
|
2009-09-28 16:37:01 +02:00
|
|
|
if (!cipher)
|
|
|
|
return;
|
2011-11-21 03:20:31 +01:00
|
|
|
if (cipher->using_evp) {
|
|
|
|
EVP_CIPHER_CTX_cleanup(&cipher->key.evp);
|
|
|
|
}
|
2012-11-07 22:09:58 +01:00
|
|
|
memwipe(cipher, 0, sizeof(aes_cnt_cipher_t));
|
2005-09-30 22:47:58 +02:00
|
|
|
tor_free(cipher);
|
2003-06-30 21:18:12 +02:00
|
|
|
}
|
|
|
|
|
2011-11-09 04:57:15 +01:00
|
|
|
#if defined(USING_COUNTER_VARS)
|
2007-09-20 19:07:45 +02:00
|
|
|
#define UPDATE_CTR_BUF(c, n) STMT_BEGIN \
|
|
|
|
(c)->ctr_buf.buf32[3-(n)] = htonl((c)->counter ## n); \
|
|
|
|
STMT_END
|
2007-09-20 19:28:07 +02:00
|
|
|
#else
|
|
|
|
#define UPDATE_CTR_BUF(c, n)
|
2017-09-15 22:24:44 +02:00
|
|
|
#endif /* defined(USING_COUNTER_VARS) */
|
2007-09-20 19:07:45 +02:00
|
|
|
|
2011-11-21 03:43:14 +01:00
|
|
|
/* Helper function to use EVP with openssl's counter-mode wrapper. */
|
2012-10-12 23:17:36 +02:00
|
|
|
static void
|
|
|
|
evp_block128_fn(const uint8_t in[16],
|
|
|
|
uint8_t out[16],
|
|
|
|
const void *key)
|
2011-11-21 03:43:14 +01:00
|
|
|
{
|
|
|
|
EVP_CIPHER_CTX *ctx = (void*)key;
|
|
|
|
int inl=16, outl=16;
|
|
|
|
EVP_EncryptUpdate(ctx, out, &outl, in, inl);
|
|
|
|
}
|
|
|
|
|
2008-02-07 17:10:33 +01:00
|
|
|
/** Encrypt <b>len</b> bytes from <b>input</b>, storing the results in place.
|
|
|
|
* Uses the key in <b>cipher</b>, and advances the counter by <b>len</b> bytes
|
|
|
|
* as it encrypts.
|
|
|
|
*/
|
|
|
|
void
|
|
|
|
aes_crypt_inplace(aes_cnt_cipher_t *cipher, char *data, size_t len)
|
|
|
|
{
|
2016-09-16 15:51:51 +02:00
|
|
|
/* Note that the "128" below refers to the length of the counter,
|
|
|
|
* not the length of the AES key. */
|
2016-02-06 18:05:32 +01:00
|
|
|
if (cipher->using_evp) {
|
|
|
|
/* In openssl 1.0.0, there's an if'd out EVP_aes_128_ctr in evp.h. If
|
|
|
|
* it weren't disabled, it might be better just to use that.
|
|
|
|
*/
|
|
|
|
CRYPTO_ctr128_encrypt((const unsigned char *)data,
|
|
|
|
(unsigned char *)data,
|
|
|
|
len,
|
|
|
|
&cipher->key.evp,
|
|
|
|
cipher->ctr_buf.buf,
|
|
|
|
cipher->buf,
|
|
|
|
&cipher->pos,
|
|
|
|
evp_block128_fn);
|
2015-05-20 16:23:23 +02:00
|
|
|
} else {
|
2016-02-06 18:05:32 +01:00
|
|
|
AES_ctr128_encrypt((const unsigned char *)data,
|
|
|
|
(unsigned char *)data,
|
|
|
|
len,
|
|
|
|
&cipher->key.aes,
|
|
|
|
cipher->ctr_buf.buf,
|
|
|
|
cipher->buf,
|
|
|
|
&cipher->pos);
|
2012-01-09 23:40:11 +01:00
|
|
|
}
|
2008-02-07 17:10:33 +01:00
|
|
|
}
|
|
|
|
|
2007-10-04 18:21:58 +02:00
|
|
|
/** Reset the 128-bit counter of <b>cipher</b> to the 16-bit big-endian value
|
|
|
|
* in <b>iv</b>. */
|
2012-03-20 20:35:43 +01:00
|
|
|
static void
|
2016-09-16 15:51:51 +02:00
|
|
|
aes_set_iv(aes_cnt_cipher_t *cipher, const uint8_t *iv)
|
2007-09-19 17:53:38 +02:00
|
|
|
{
|
2007-09-20 19:28:07 +02:00
|
|
|
#ifdef USING_COUNTER_VARS
|
2007-09-19 17:53:38 +02:00
|
|
|
cipher->counter3 = ntohl(get_uint32(iv));
|
|
|
|
cipher->counter2 = ntohl(get_uint32(iv+4));
|
|
|
|
cipher->counter1 = ntohl(get_uint32(iv+8));
|
|
|
|
cipher->counter0 = ntohl(get_uint32(iv+12));
|
2017-09-15 22:24:44 +02:00
|
|
|
#endif /* defined(USING_COUNTER_VARS) */
|
2007-09-19 17:53:38 +02:00
|
|
|
cipher->pos = 0;
|
2007-09-20 19:07:45 +02:00
|
|
|
memcpy(cipher->ctr_buf.buf, iv, 16);
|
2007-09-19 17:53:38 +02:00
|
|
|
}
|
|
|
|
|
2017-09-15 22:24:44 +02:00
|
|
|
#endif /* defined(USE_EVP_AES_CTR) */
|
2016-02-06 20:00:24 +01:00
|
|
|
|