aes.c 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390
  1. /* Copyright (c) 2001, Matej Pfajfar.
  2. * Copyright (c) 2001-2004, Roger Dingledine.
  3. * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
  4. * Copyright (c) 2007-2016, The Tor Project, Inc. */
  5. /* See LICENSE for licensing information */
  6. /**
  7. * \file aes.c
  8. * \brief Implements a counter-mode stream cipher on top of AES.
  9. **/
  10. #include "orconfig.h"
  11. #ifdef _WIN32 /*wrkard for dtls1.h >= 0.9.8m of "#include <winsock.h>"*/
  12. #include <winsock2.h>
  13. #include <ws2tcpip.h>
  14. #endif
  15. #include <openssl/opensslv.h>
  16. #include "crypto.h"
  17. #if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,0,0)
  18. #error "We require OpenSSL >= 1.0.0"
  19. #endif
  20. DISABLE_GCC_WARNING(redundant-decls)
  21. #include <assert.h>
  22. #include <stdlib.h>
  23. #include <string.h>
  24. #include <openssl/aes.h>
  25. #include <openssl/evp.h>
  26. #include <openssl/engine.h>
  27. #include <openssl/modes.h>
  28. ENABLE_GCC_WARNING(redundant-decls)
  29. #include "compat.h"
  30. #include "aes.h"
  31. #include "util.h"
  32. #include "torlog.h"
  33. #include "di_ops.h"
  34. #ifdef ANDROID
  35. /* Android's OpenSSL seems to have removed all of its Engine support. */
  36. #define DISABLE_ENGINES
  37. #endif
  38. /* We have five strategies for implementing AES counter mode.
  39. *
  40. * Best with x86 and x86_64: Use EVP_aes_ctr128() and EVP_EncryptUpdate().
  41. * This is possible with OpenSSL 1.0.1, where the counter-mode implementation
  42. * can use bit-sliced or vectorized AES or AESNI as appropriate.
  43. *
  44. * Otherwise: Pick the best possible AES block implementation that OpenSSL
  45. * gives us, and the best possible counter-mode implementation, and combine
  46. * them.
  47. */
  48. #if OPENSSL_VERSION_NUMBER >= OPENSSL_V_NOPATCH(1,0,1) && \
  49. (defined(__i386) || defined(__i386__) || defined(_M_IX86) || \
  50. defined(__x86_64) || defined(__x86_64__) || \
  51. defined(_M_AMD64) || defined(_M_X64) || defined(__INTEL__)) \
  52. #define USE_EVP_AES_CTR
  53. #endif
  54. /* We have 2 strategies for getting the AES block cipher: Via OpenSSL's
  55. * AES_encrypt function, or via OpenSSL's EVP_EncryptUpdate function.
  56. *
  57. * If there's any hardware acceleration in play, we want to be using EVP_* so
  58. * we can get it. Otherwise, we'll want AES_*, which seems to be about 5%
  59. * faster than indirecting through the EVP layer.
  60. */
  61. /* We have 2 strategies for getting a plug-in counter mode: use our own, or
  62. * use OpenSSL's.
  63. *
  64. * Here we have a counter mode that's faster than the one shipping with
  65. * OpenSSL pre-1.0 (by about 10%!). But OpenSSL 1.0.0 added a counter mode
  66. * implementation faster than the one here (by about 7%). So we pick which
  67. * one to used based on the Openssl version above. (OpenSSL 1.0.0a fixed a
  68. * critical bug in that counter mode implementation, so we need to test to
  69. * make sure that we have a fixed version.)
  70. */
  71. #ifdef USE_EVP_AES_CTR
  72. /* We don't actually define the struct here. */
  73. aes_cnt_cipher_t *
  74. aes_new_cipher(const char *key, const char *iv)
  75. {
  76. EVP_CIPHER_CTX *cipher = EVP_CIPHER_CTX_new();
  77. EVP_EncryptInit(cipher, EVP_aes_128_ctr(),
  78. (const unsigned char*)key, (const unsigned char *)iv);
  79. return (aes_cnt_cipher_t *) cipher;
  80. }
  81. void
  82. aes_cipher_free(aes_cnt_cipher_t *cipher_)
  83. {
  84. if (!cipher_)
  85. return;
  86. EVP_CIPHER_CTX *cipher = (EVP_CIPHER_CTX *) cipher_;
  87. EVP_CIPHER_CTX_cleanup(cipher);
  88. EVP_CIPHER_CTX_free(cipher);
  89. }
  90. void
  91. aes_crypt_inplace(aes_cnt_cipher_t *cipher_, char *data, size_t len)
  92. {
  93. int outl;
  94. EVP_CIPHER_CTX *cipher = (EVP_CIPHER_CTX *) cipher_;
  95. tor_assert(len < INT_MAX);
  96. EVP_EncryptUpdate(cipher, (unsigned char*)data,
  97. &outl, (unsigned char*)data, (int)len);
  98. }
  99. int
  100. evaluate_evp_for_aes(int force_val)
  101. {
  102. (void) force_val;
  103. log_info(LD_CRYPTO, "This version of OpenSSL has a known-good EVP "
  104. "counter-mode implementation. Using it.");
  105. return 0;
  106. }
  107. int
  108. evaluate_ctr_for_aes(void)
  109. {
  110. return 0;
  111. }
  112. #else
  113. /*======================================================================*/
  114. /* Interface to AES code, and counter implementation */
  115. /** Implements an AES counter-mode cipher. */
  116. struct aes_cnt_cipher {
  117. /** This next element (however it's defined) is the AES key. */
  118. union {
  119. EVP_CIPHER_CTX evp;
  120. AES_KEY aes;
  121. } key;
  122. #if !defined(WORDS_BIGENDIAN)
  123. #define USING_COUNTER_VARS
  124. /** These four values, together, implement a 128-bit counter, with
  125. * counter0 as the low-order word and counter3 as the high-order word. */
  126. uint32_t counter3;
  127. uint32_t counter2;
  128. uint32_t counter1;
  129. uint32_t counter0;
  130. #endif
  131. union {
  132. /** The counter, in big-endian order, as bytes. */
  133. uint8_t buf[16];
  134. /** The counter, in big-endian order, as big-endian words. Note that
  135. * on big-endian platforms, this is redundant with counter3...0,
  136. * so we just use these values instead. */
  137. uint32_t buf32[4];
  138. } ctr_buf;
  139. /** The encrypted value of ctr_buf. */
  140. uint8_t buf[16];
  141. /** Our current stream position within buf. */
  142. unsigned int pos;
  143. /** True iff we're using the evp implementation of this cipher. */
  144. uint8_t using_evp;
  145. };
  146. /** True iff we should prefer the EVP implementation for AES, either because
  147. * we're testing it or because we have hardware acceleration configured */
  148. static int should_use_EVP = 0;
  149. /** Check whether we should use the EVP interface for AES. If <b>force_val</b>
  150. * is nonnegative, we use use EVP iff it is true. Otherwise, we use EVP
  151. * if there is an engine enabled for aes-ecb. */
  152. int
  153. evaluate_evp_for_aes(int force_val)
  154. {
  155. ENGINE *e;
  156. if (force_val >= 0) {
  157. should_use_EVP = force_val;
  158. return 0;
  159. }
  160. #ifdef DISABLE_ENGINES
  161. should_use_EVP = 0;
  162. #else
  163. e = ENGINE_get_cipher_engine(NID_aes_128_ecb);
  164. if (e) {
  165. log_info(LD_CRYPTO, "AES engine \"%s\" found; using EVP_* functions.",
  166. ENGINE_get_name(e));
  167. should_use_EVP = 1;
  168. } else {
  169. log_info(LD_CRYPTO, "No AES engine found; using AES_* functions.");
  170. should_use_EVP = 0;
  171. }
  172. #endif
  173. return 0;
  174. }
  175. /** Test the OpenSSL counter mode implementation to see whether it has the
  176. * counter-mode bug from OpenSSL 1.0.0. If the implementation works, then
  177. * we will use it for future encryption/decryption operations.
  178. *
  179. * We can't just look at the OpenSSL version, since some distributions update
  180. * their OpenSSL packages without changing the version number.
  181. **/
  182. int
  183. evaluate_ctr_for_aes(void)
  184. {
  185. /* Result of encrypting an all-zero block with an all-zero 128-bit AES key.
  186. * This should be the same as encrypting an all-zero block with an all-zero
  187. * 128-bit AES key in counter mode, starting at position 0 of the stream.
  188. */
  189. static const unsigned char encrypt_zero[] =
  190. "\x66\xe9\x4b\xd4\xef\x8a\x2c\x3b\x88\x4c\xfa\x59\xca\x34\x2b\x2e";
  191. unsigned char zero[16];
  192. unsigned char output[16];
  193. unsigned char ivec[16];
  194. unsigned char ivec_tmp[16];
  195. unsigned int pos, i;
  196. AES_KEY key;
  197. memset(zero, 0, sizeof(zero));
  198. memset(ivec, 0, sizeof(ivec));
  199. AES_set_encrypt_key(zero, 128, &key);
  200. pos = 0;
  201. /* Encrypting a block one byte at a time should make the error manifest
  202. * itself for known bogus openssl versions. */
  203. for (i=0; i<16; ++i)
  204. AES_ctr128_encrypt(&zero[i], &output[i], 1, &key, ivec, ivec_tmp, &pos);
  205. if (fast_memneq(output, encrypt_zero, 16)) {
  206. /* Counter mode is buggy */
  207. /* LCOV_EXCL_START */
  208. log_err(LD_CRYPTO, "This OpenSSL has a buggy version of counter mode; "
  209. "quitting tor.");
  210. exit(1);
  211. /* LCOV_EXCL_STOP */
  212. }
  213. return 0;
  214. }
  215. #if !defined(USING_COUNTER_VARS)
  216. #define COUNTER(c, n) ((c)->ctr_buf.buf32[3-(n)])
  217. #else
  218. #define COUNTER(c, n) ((c)->counter ## n)
  219. #endif
  220. static void aes_set_key(aes_cnt_cipher_t *cipher, const char *key,
  221. int key_bits);
  222. static void aes_set_iv(aes_cnt_cipher_t *cipher, const char *iv);
  223. /**
  224. * Return a newly allocated counter-mode AES128 cipher implementation,
  225. * using the 128-bit key <b>key</b> and the 128-bit IV <b>iv</b>.
  226. */
  227. aes_cnt_cipher_t*
  228. aes_new_cipher(const char *key, const char *iv)
  229. {
  230. aes_cnt_cipher_t* result = tor_malloc_zero(sizeof(aes_cnt_cipher_t));
  231. aes_set_key(result, key, 128);
  232. aes_set_iv(result, iv);
  233. return result;
  234. }
  235. /** Set the key of <b>cipher</b> to <b>key</b>, which is
  236. * <b>key_bits</b> bits long (must be 128, 192, or 256). Also resets
  237. * the counter to 0.
  238. */
  239. static void
  240. aes_set_key(aes_cnt_cipher_t *cipher, const char *key, int key_bits)
  241. {
  242. if (should_use_EVP) {
  243. const EVP_CIPHER *c = 0;
  244. switch (key_bits) {
  245. case 128: c = EVP_aes_128_ecb(); break;
  246. case 192: c = EVP_aes_192_ecb(); break;
  247. case 256: c = EVP_aes_256_ecb(); break;
  248. default: tor_assert(0); // LCOV_EXCL_LINE
  249. }
  250. EVP_EncryptInit(&cipher->key.evp, c, (const unsigned char*)key, NULL);
  251. cipher->using_evp = 1;
  252. } else {
  253. AES_set_encrypt_key((const unsigned char *)key, key_bits,&cipher->key.aes);
  254. cipher->using_evp = 0;
  255. }
  256. #ifdef USING_COUNTER_VARS
  257. cipher->counter0 = 0;
  258. cipher->counter1 = 0;
  259. cipher->counter2 = 0;
  260. cipher->counter3 = 0;
  261. #endif
  262. memset(cipher->ctr_buf.buf, 0, sizeof(cipher->ctr_buf.buf));
  263. cipher->pos = 0;
  264. memset(cipher->buf, 0, sizeof(cipher->buf));
  265. }
  266. /** Release storage held by <b>cipher</b>
  267. */
  268. void
  269. aes_cipher_free(aes_cnt_cipher_t *cipher)
  270. {
  271. if (!cipher)
  272. return;
  273. if (cipher->using_evp) {
  274. EVP_CIPHER_CTX_cleanup(&cipher->key.evp);
  275. }
  276. memwipe(cipher, 0, sizeof(aes_cnt_cipher_t));
  277. tor_free(cipher);
  278. }
  279. #if defined(USING_COUNTER_VARS)
  280. #define UPDATE_CTR_BUF(c, n) STMT_BEGIN \
  281. (c)->ctr_buf.buf32[3-(n)] = htonl((c)->counter ## n); \
  282. STMT_END
  283. #else
  284. #define UPDATE_CTR_BUF(c, n)
  285. #endif
  286. /* Helper function to use EVP with openssl's counter-mode wrapper. */
  287. static void
  288. evp_block128_fn(const uint8_t in[16],
  289. uint8_t out[16],
  290. const void *key)
  291. {
  292. EVP_CIPHER_CTX *ctx = (void*)key;
  293. int inl=16, outl=16;
  294. EVP_EncryptUpdate(ctx, out, &outl, in, inl);
  295. }
  296. /** Encrypt <b>len</b> bytes from <b>input</b>, storing the results in place.
  297. * Uses the key in <b>cipher</b>, and advances the counter by <b>len</b> bytes
  298. * as it encrypts.
  299. */
  300. void
  301. aes_crypt_inplace(aes_cnt_cipher_t *cipher, char *data, size_t len)
  302. {
  303. if (cipher->using_evp) {
  304. /* In openssl 1.0.0, there's an if'd out EVP_aes_128_ctr in evp.h. If
  305. * it weren't disabled, it might be better just to use that.
  306. */
  307. CRYPTO_ctr128_encrypt((const unsigned char *)data,
  308. (unsigned char *)data,
  309. len,
  310. &cipher->key.evp,
  311. cipher->ctr_buf.buf,
  312. cipher->buf,
  313. &cipher->pos,
  314. evp_block128_fn);
  315. } else {
  316. AES_ctr128_encrypt((const unsigned char *)data,
  317. (unsigned char *)data,
  318. len,
  319. &cipher->key.aes,
  320. cipher->ctr_buf.buf,
  321. cipher->buf,
  322. &cipher->pos);
  323. }
  324. }
  325. /** Reset the 128-bit counter of <b>cipher</b> to the 16-bit big-endian value
  326. * in <b>iv</b>. */
  327. static void
  328. aes_set_iv(aes_cnt_cipher_t *cipher, const char *iv)
  329. {
  330. #ifdef USING_COUNTER_VARS
  331. cipher->counter3 = ntohl(get_uint32(iv));
  332. cipher->counter2 = ntohl(get_uint32(iv+4));
  333. cipher->counter1 = ntohl(get_uint32(iv+8));
  334. cipher->counter0 = ntohl(get_uint32(iv+12));
  335. #endif
  336. cipher->pos = 0;
  337. memcpy(cipher->ctr_buf.buf, iv, 16);
  338. }
  339. #endif