1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
|
/* Copyright (c) 2001, Matej Pfajfar.
* Copyright (c) 2001-2004, Roger Dingledine.
* Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
* Copyright (c) 2007-2019, The Tor Project, Inc. */
/* See LICENSE for licensing information */
/**
* \file aes_openssl.c
* \brief Use OpenSSL to implement AES_CTR.
**/
#include "orconfig.h"
#include "lib/crypt_ops/aes.h"
#include "lib/crypt_ops/crypto_util.h"
#include "lib/log/util_bug.h"
#include "lib/arch/bytes.h"
#ifdef _WIN32 /*wrkard for dtls1.h >= 0.9.8m of "#include <winsock.h>"*/
#include <winsock2.h>
#include <ws2tcpip.h>
#endif
#include "lib/crypt_ops/compat_openssl.h"
#include <openssl/opensslv.h>
#include "lib/crypt_ops/crypto_openssl_mgt.h"
#if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,0,0)
#error "We require OpenSSL >= 1.0.0"
#endif
DISABLE_GCC_WARNING(redundant-decls)
#include <stdlib.h>
#include <string.h>
#include <openssl/aes.h>
#include <openssl/evp.h>
#include <openssl/engine.h>
#include <openssl/modes.h>
ENABLE_GCC_WARNING(redundant-decls)
#include "lib/crypt_ops/aes.h"
#include "lib/log/log.h"
#include "lib/ctime/di_ops.h"
#ifdef OPENSSL_NO_ENGINE
/* Android's OpenSSL seems to have removed all of its Engine support. */
#define DISABLE_ENGINES
#endif
/* We have five strategies for implementing AES counter mode.
*
* Best with x86 and x86_64: Use EVP_aes_*_ctr() and EVP_EncryptUpdate().
* This is possible with OpenSSL 1.0.1, where the counter-mode implementation
* can use bit-sliced or vectorized AES or AESNI as appropriate.
*
* Otherwise: Pick the best possible AES block implementation that OpenSSL
* gives us, and the best possible counter-mode implementation, and combine
* them.
*/
#if OPENSSL_VERSION_NUMBER >= OPENSSL_V_NOPATCH(1,1,0)
/* With newer OpenSSL versions, the older fallback modes don't compile. So
* don't use them, even if we lack specific acceleration. */
#define USE_EVP_AES_CTR
#elif OPENSSL_VERSION_NUMBER >= OPENSSL_V_NOPATCH(1,0,1) && \
(defined(__i386) || defined(__i386__) || defined(_M_IX86) || \
defined(__x86_64) || defined(__x86_64__) || \
defined(_M_AMD64) || defined(_M_X64) || defined(__INTEL__))
#define USE_EVP_AES_CTR
#endif /* OPENSSL_VERSION_NUMBER >= OPENSSL_V_NOPATCH(1,1,0) || ... */
/* We have 2 strategies for getting the AES block cipher: Via OpenSSL's
* AES_encrypt function, or via OpenSSL's EVP_EncryptUpdate function.
*
* If there's any hardware acceleration in play, we want to be using EVP_* so
* we can get it. Otherwise, we'll want AES_*, which seems to be about 5%
* faster than indirecting through the EVP layer.
*/
/* We have 2 strategies for getting a plug-in counter mode: use our own, or
* use OpenSSL's.
*
* Here we have a counter mode that's faster than the one shipping with
* OpenSSL pre-1.0 (by about 10%!). But OpenSSL 1.0.0 added a counter mode
* implementation faster than the one here (by about 7%). So we pick which
* one to used based on the Openssl version above. (OpenSSL 1.0.0a fixed a
* critical bug in that counter mode implementation, so we need to test to
* make sure that we have a fixed version.)
*/
#ifdef USE_EVP_AES_CTR
/* We don't actually define the struct here. */
aes_cnt_cipher_t *
aes_new_cipher(const uint8_t *key, const uint8_t *iv, int key_bits)
{
EVP_CIPHER_CTX *cipher = EVP_CIPHER_CTX_new();
const EVP_CIPHER *c = NULL;
switch (key_bits) {
case 128: c = EVP_aes_128_ctr(); break;
case 192: c = EVP_aes_192_ctr(); break;
case 256: c = EVP_aes_256_ctr(); break;
default: tor_assert_unreached(); // LCOV_EXCL_LINE
}
EVP_EncryptInit(cipher, c, key, iv);
return (aes_cnt_cipher_t *) cipher;
}
void
aes_cipher_free_(aes_cnt_cipher_t *cipher_)
{
if (!cipher_)
return;
EVP_CIPHER_CTX *cipher = (EVP_CIPHER_CTX *) cipher_;
#ifdef OPENSSL_1_1_API
EVP_CIPHER_CTX_reset(cipher);
#else
EVP_CIPHER_CTX_cleanup(cipher);
#endif
EVP_CIPHER_CTX_free(cipher);
}
void
aes_crypt_inplace(aes_cnt_cipher_t *cipher_, char *data, size_t len)
{
int outl;
EVP_CIPHER_CTX *cipher = (EVP_CIPHER_CTX *) cipher_;
tor_assert(len < INT_MAX);
EVP_EncryptUpdate(cipher, (unsigned char*)data,
&outl, (unsigned char*)data, (int)len);
}
int
evaluate_evp_for_aes(int force_val)
{
(void) force_val;
log_info(LD_CRYPTO, "This version of OpenSSL has a known-good EVP "
"counter-mode implementation. Using it.");
return 0;
}
int
evaluate_ctr_for_aes(void)
{
return 0;
}
#else /* !(defined(USE_EVP_AES_CTR)) */
/*======================================================================*/
/* Interface to AES code, and counter implementation */
/** Implements an AES counter-mode cipher. */
struct aes_cnt_cipher {
/** This next element (however it's defined) is the AES key. */
union {
EVP_CIPHER_CTX evp;
AES_KEY aes;
} key;
#if !defined(WORDS_BIGENDIAN)
#define USING_COUNTER_VARS
/** These four values, together, implement a 128-bit counter, with
* counter0 as the low-order word and counter3 as the high-order word. */
uint32_t counter3;
uint32_t counter2;
uint32_t counter1;
uint32_t counter0;
#endif /* !defined(WORDS_BIGENDIAN) */
union {
/** The counter, in big-endian order, as bytes. */
uint8_t buf[16];
/** The counter, in big-endian order, as big-endian words. Note that
* on big-endian platforms, this is redundant with counter3...0,
* so we just use these values instead. */
uint32_t buf32[4];
} ctr_buf;
/** The encrypted value of ctr_buf. */
uint8_t buf[16];
/** Our current stream position within buf. */
unsigned int pos;
/** True iff we're using the evp implementation of this cipher. */
uint8_t using_evp;
};
/** True iff we should prefer the EVP implementation for AES, either because
* we're testing it or because we have hardware acceleration configured */
static int should_use_EVP = 0;
/** Check whether we should use the EVP interface for AES. If <b>force_val</b>
* is nonnegative, we use use EVP iff it is true. Otherwise, we use EVP
* if there is an engine enabled for aes-ecb. */
int
evaluate_evp_for_aes(int force_val)
{
ENGINE *e;
if (force_val >= 0) {
should_use_EVP = force_val;
return 0;
}
#ifdef DISABLE_ENGINES
should_use_EVP = 0;
#else
e = ENGINE_get_cipher_engine(NID_aes_128_ecb);
if (e) {
log_info(LD_CRYPTO, "AES engine \"%s\" found; using EVP_* functions.",
ENGINE_get_name(e));
should_use_EVP = 1;
} else {
log_info(LD_CRYPTO, "No AES engine found; using AES_* functions.");
should_use_EVP = 0;
}
#endif /* defined(DISABLE_ENGINES) */
return 0;
}
/** Test the OpenSSL counter mode implementation to see whether it has the
* counter-mode bug from OpenSSL 1.0.0. If the implementation works, then
* we will use it for future encryption/decryption operations.
*
* We can't just look at the OpenSSL version, since some distributions update
* their OpenSSL packages without changing the version number.
**/
int
evaluate_ctr_for_aes(void)
{
/* Result of encrypting an all-zero block with an all-zero 128-bit AES key.
* This should be the same as encrypting an all-zero block with an all-zero
* 128-bit AES key in counter mode, starting at position 0 of the stream.
*/
static const unsigned char encrypt_zero[] =
"\x66\xe9\x4b\xd4\xef\x8a\x2c\x3b\x88\x4c\xfa\x59\xca\x34\x2b\x2e";
unsigned char zero[16];
unsigned char output[16];
unsigned char ivec[16];
unsigned char ivec_tmp[16];
unsigned int pos, i;
AES_KEY key;
memset(zero, 0, sizeof(zero));
memset(ivec, 0, sizeof(ivec));
AES_set_encrypt_key(zero, 128, &key);
pos = 0;
/* Encrypting a block one byte at a time should make the error manifest
* itself for known bogus openssl versions. */
for (i=0; i<16; ++i)
AES_ctr128_encrypt(&zero[i], &output[i], 1, &key, ivec, ivec_tmp, &pos);
if (fast_memneq(output, encrypt_zero, 16)) {
/* Counter mode is buggy */
/* LCOV_EXCL_START */
log_err(LD_CRYPTO, "This OpenSSL has a buggy version of counter mode; "
"quitting tor.");
exit(1); // exit ok: openssl is broken.
/* LCOV_EXCL_STOP */
}
return 0;
}
#if !defined(USING_COUNTER_VARS)
#define COUNTER(c, n) ((c)->ctr_buf.buf32[3-(n)])
#else
#define COUNTER(c, n) ((c)->counter ## n)
#endif
static void aes_set_key(aes_cnt_cipher_t *cipher, const uint8_t *key,
int key_bits);
static void aes_set_iv(aes_cnt_cipher_t *cipher, const uint8_t *iv);
/**
* Return a newly allocated counter-mode AES128 cipher implementation,
* using the 128-bit key <b>key</b> and the 128-bit IV <b>iv</b>.
*/
aes_cnt_cipher_t*
aes_new_cipher(const uint8_t *key, const uint8_t *iv, int bits)
{
aes_cnt_cipher_t* result = tor_malloc_zero(sizeof(aes_cnt_cipher_t));
aes_set_key(result, key, bits);
aes_set_iv(result, iv);
return result;
}
/** Set the key of <b>cipher</b> to <b>key</b>, which is
* <b>key_bits</b> bits long (must be 128, 192, or 256). Also resets
* the counter to 0.
*/
static void
aes_set_key(aes_cnt_cipher_t *cipher, const uint8_t *key, int key_bits)
{
if (should_use_EVP) {
const EVP_CIPHER *c = 0;
switch (key_bits) {
case 128: c = EVP_aes_128_ecb(); break;
case 192: c = EVP_aes_192_ecb(); break;
case 256: c = EVP_aes_256_ecb(); break;
default: tor_assert(0); // LCOV_EXCL_LINE
}
EVP_EncryptInit(&cipher->key.evp, c, key, NULL);
cipher->using_evp = 1;
} else {
AES_set_encrypt_key(key, key_bits,&cipher->key.aes);
cipher->using_evp = 0;
}
#ifdef USING_COUNTER_VARS
cipher->counter0 = 0;
cipher->counter1 = 0;
cipher->counter2 = 0;
cipher->counter3 = 0;
#endif /* defined(USING_COUNTER_VARS) */
memset(cipher->ctr_buf.buf, 0, sizeof(cipher->ctr_buf.buf));
cipher->pos = 0;
memset(cipher->buf, 0, sizeof(cipher->buf));
}
/** Release storage held by <b>cipher</b>
*/
void
aes_cipher_free_(aes_cnt_cipher_t *cipher)
{
if (!cipher)
return;
if (cipher->using_evp) {
EVP_CIPHER_CTX_cleanup(&cipher->key.evp);
}
memwipe(cipher, 0, sizeof(aes_cnt_cipher_t));
tor_free(cipher);
}
#if defined(USING_COUNTER_VARS)
#define UPDATE_CTR_BUF(c, n) STMT_BEGIN \
(c)->ctr_buf.buf32[3-(n)] = htonl((c)->counter ## n); \
STMT_END
#else
#define UPDATE_CTR_BUF(c, n)
#endif /* defined(USING_COUNTER_VARS) */
/* Helper function to use EVP with openssl's counter-mode wrapper. */
static void
evp_block128_fn(const uint8_t in[16],
uint8_t out[16],
const void *key)
{
EVP_CIPHER_CTX *ctx = (void*)key;
int inl=16, outl=16;
EVP_EncryptUpdate(ctx, out, &outl, in, inl);
}
/** Encrypt <b>len</b> bytes from <b>input</b>, storing the results in place.
* Uses the key in <b>cipher</b>, and advances the counter by <b>len</b> bytes
* as it encrypts.
*/
void
aes_crypt_inplace(aes_cnt_cipher_t *cipher, char *data, size_t len)
{
/* Note that the "128" below refers to the length of the counter,
* not the length of the AES key. */
if (cipher->using_evp) {
/* In openssl 1.0.0, there's an if'd out EVP_aes_128_ctr in evp.h. If
* it weren't disabled, it might be better just to use that.
*/
CRYPTO_ctr128_encrypt((const unsigned char *)data,
(unsigned char *)data,
len,
&cipher->key.evp,
cipher->ctr_buf.buf,
cipher->buf,
&cipher->pos,
evp_block128_fn);
} else {
AES_ctr128_encrypt((const unsigned char *)data,
(unsigned char *)data,
len,
&cipher->key.aes,
cipher->ctr_buf.buf,
cipher->buf,
&cipher->pos);
}
}
/** Reset the 128-bit counter of <b>cipher</b> to the 16-bit big-endian value
* in <b>iv</b>. */
static void
aes_set_iv(aes_cnt_cipher_t *cipher, const uint8_t *iv)
{
#ifdef USING_COUNTER_VARS
cipher->counter3 = tor_ntohl(get_uint32(iv));
cipher->counter2 = tor_ntohl(get_uint32(iv+4));
cipher->counter1 = tor_ntohl(get_uint32(iv+8));
cipher->counter0 = tor_ntohl(get_uint32(iv+12));
#endif /* defined(USING_COUNTER_VARS) */
cipher->pos = 0;
memcpy(cipher->ctr_buf.buf, iv, 16);
}
#endif /* defined(USE_EVP_AES_CTR) */
|
