Line data Source code
1 : /* Copyright (c) 2001, Matej Pfajfar.
2 : * Copyright (c) 2001-2004, Roger Dingledine.
3 : * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 : * Copyright (c) 2007-2021, The Tor Project, Inc. */
5 : /* See LICENSE for licensing information */
6 :
7 : /**
8 : * \file aes_openssl.c
9 : * \brief Use OpenSSL to implement AES_CTR.
10 : **/
11 :
12 : #include "orconfig.h"
13 : #include "lib/crypt_ops/aes.h"
14 : #include "lib/crypt_ops/crypto_util.h"
15 : #include "lib/log/util_bug.h"
16 : #include "lib/arch/bytes.h"
17 :
18 : #ifdef _WIN32 /*wrkard for dtls1.h >= 0.9.8m of "#include <winsock.h>"*/
19 : #include <winsock2.h>
20 : #include <ws2tcpip.h>
21 : #endif
22 :
23 : #include "lib/crypt_ops/compat_openssl.h"
24 : #include <openssl/opensslv.h>
25 : #include "lib/crypt_ops/crypto_openssl_mgt.h"
26 :
27 : #if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,0,0)
28 : #error "We require OpenSSL >= 1.0.0"
29 : #endif
30 :
31 : DISABLE_GCC_WARNING("-Wredundant-decls")
32 :
33 : #include <stdlib.h>
34 : #include <string.h>
35 : #include <openssl/aes.h>
36 : #include <openssl/evp.h>
37 : #include <openssl/engine.h>
38 : #include <openssl/modes.h>
39 :
40 : ENABLE_GCC_WARNING("-Wredundant-decls")
41 :
42 : #include "lib/log/log.h"
43 : #include "lib/ctime/di_ops.h"
44 :
45 : #ifdef OPENSSL_NO_ENGINE
46 : /* Android's OpenSSL seems to have removed all of its Engine support. */
47 : #define DISABLE_ENGINES
48 : #endif
49 :
50 : /* We have five strategies for implementing AES counter mode.
51 : *
52 : * Best with x86 and x86_64: Use EVP_aes_*_ctr() and EVP_EncryptUpdate().
53 : * This is possible with OpenSSL 1.0.1, where the counter-mode implementation
54 : * can use bit-sliced or vectorized AES or AESNI as appropriate.
55 : *
56 : * Otherwise: Pick the best possible AES block implementation that OpenSSL
57 : * gives us, and the best possible counter-mode implementation, and combine
58 : * them.
59 : */
60 : #if OPENSSL_VERSION_NUMBER >= OPENSSL_V_NOPATCH(1,1,0)
61 :
62 : /* With newer OpenSSL versions, the older fallback modes don't compile. So
63 : * don't use them, even if we lack specific acceleration. */
64 :
65 : #define USE_EVP_AES_CTR
66 :
67 : #elif OPENSSL_VERSION_NUMBER >= OPENSSL_V_NOPATCH(1,0,1) && \
68 : (defined(__i386) || defined(__i386__) || defined(_M_IX86) || \
69 : defined(__x86_64) || defined(__x86_64__) || \
70 : defined(_M_AMD64) || defined(_M_X64) || defined(__INTEL__))
71 :
72 : #define USE_EVP_AES_CTR
73 :
74 : #endif /* OPENSSL_VERSION_NUMBER >= OPENSSL_V_NOPATCH(1,1,0) || ... */
75 :
76 : /* We have 2 strategies for getting the AES block cipher: Via OpenSSL's
77 : * AES_encrypt function, or via OpenSSL's EVP_EncryptUpdate function.
78 : *
79 : * If there's any hardware acceleration in play, we want to be using EVP_* so
80 : * we can get it. Otherwise, we'll want AES_*, which seems to be about 5%
81 : * faster than indirecting through the EVP layer.
82 : */
83 :
84 : /* We have 2 strategies for getting a plug-in counter mode: use our own, or
85 : * use OpenSSL's.
86 : *
87 : * Here we have a counter mode that's faster than the one shipping with
88 : * OpenSSL pre-1.0 (by about 10%!). But OpenSSL 1.0.0 added a counter mode
89 : * implementation faster than the one here (by about 7%). So we pick which
90 : * one to used based on the Openssl version above. (OpenSSL 1.0.0a fixed a
91 : * critical bug in that counter mode implementation, so we need to test to
92 : * make sure that we have a fixed version.)
93 : */
94 :
95 : #ifdef USE_EVP_AES_CTR
96 :
97 : /* We don't actually define the struct here. */
98 :
99 : aes_cnt_cipher_t *
100 13555 : aes_new_cipher(const uint8_t *key, const uint8_t *iv, int key_bits)
101 : {
102 13555 : EVP_CIPHER_CTX *cipher = EVP_CIPHER_CTX_new();
103 13555 : const EVP_CIPHER *c = NULL;
104 13555 : switch (key_bits) {
105 292 : case 128: c = EVP_aes_128_ctr(); break;
106 1 : case 192: c = EVP_aes_192_ctr(); break;
107 13262 : case 256: c = EVP_aes_256_ctr(); break;
108 : default: tor_assert_unreached(); // LCOV_EXCL_LINE
109 : }
110 13555 : EVP_EncryptInit(cipher, c, key, iv);
111 13555 : return (aes_cnt_cipher_t *) cipher;
112 : }
113 : void
114 13533 : aes_cipher_free_(aes_cnt_cipher_t *cipher_)
115 : {
116 13533 : if (!cipher_)
117 : return;
118 13533 : EVP_CIPHER_CTX *cipher = (EVP_CIPHER_CTX *) cipher_;
119 : #ifdef OPENSSL_1_1_API
120 13533 : EVP_CIPHER_CTX_reset(cipher);
121 : #else
122 : EVP_CIPHER_CTX_cleanup(cipher);
123 : #endif
124 13533 : EVP_CIPHER_CTX_free(cipher);
125 : }
126 : void
127 77471 : aes_crypt_inplace(aes_cnt_cipher_t *cipher_, char *data, size_t len)
128 : {
129 77471 : int outl;
130 77471 : EVP_CIPHER_CTX *cipher = (EVP_CIPHER_CTX *) cipher_;
131 :
132 77471 : tor_assert(len < INT_MAX);
133 :
134 77471 : EVP_EncryptUpdate(cipher, (unsigned char*)data,
135 : &outl, (unsigned char*)data, (int)len);
136 77471 : }
137 : int
138 5531 : evaluate_evp_for_aes(int force_val)
139 : {
140 5531 : (void) force_val;
141 5531 : log_info(LD_CRYPTO, "This version of OpenSSL has a known-good EVP "
142 : "counter-mode implementation. Using it.");
143 5531 : return 0;
144 : }
145 : int
146 5529 : evaluate_ctr_for_aes(void)
147 : {
148 5529 : return 0;
149 : }
150 : #else /* !defined(USE_EVP_AES_CTR) */
151 :
152 : /*======================================================================*/
153 : /* Interface to AES code, and counter implementation */
154 :
155 : /** Implements an AES counter-mode cipher. */
156 : struct aes_cnt_cipher_t {
157 : /** This next element (however it's defined) is the AES key. */
158 : union {
159 : EVP_CIPHER_CTX evp;
160 : AES_KEY aes;
161 : } key;
162 :
163 : #if !defined(WORDS_BIGENDIAN)
164 : #define USING_COUNTER_VARS
165 : /** These four values, together, implement a 128-bit counter, with
166 : * counter0 as the low-order word and counter3 as the high-order word. */
167 : uint32_t counter3;
168 : uint32_t counter2;
169 : uint32_t counter1;
170 : uint32_t counter0;
171 : #endif /* !defined(WORDS_BIGENDIAN) */
172 :
173 : union {
174 : /** The counter, in big-endian order, as bytes. */
175 : uint8_t buf[16];
176 : /** The counter, in big-endian order, as big-endian words. Note that
177 : * on big-endian platforms, this is redundant with counter3...0,
178 : * so we just use these values instead. */
179 : uint32_t buf32[4];
180 : } ctr_buf;
181 :
182 : /** The encrypted value of ctr_buf. */
183 : uint8_t buf[16];
184 : /** Our current stream position within buf. */
185 : unsigned int pos;
186 :
187 : /** True iff we're using the evp implementation of this cipher. */
188 : uint8_t using_evp;
189 : };
190 :
191 : /** True iff we should prefer the EVP implementation for AES, either because
192 : * we're testing it or because we have hardware acceleration configured */
193 : static int should_use_EVP = 0;
194 :
195 : /** Check whether we should use the EVP interface for AES. If <b>force_val</b>
196 : * is nonnegative, we use use EVP iff it is true. Otherwise, we use EVP
197 : * if there is an engine enabled for aes-ecb. */
198 : int
199 : evaluate_evp_for_aes(int force_val)
200 : {
201 : ENGINE *e;
202 :
203 : if (force_val >= 0) {
204 : should_use_EVP = force_val;
205 : return 0;
206 : }
207 : #ifdef DISABLE_ENGINES
208 : should_use_EVP = 0;
209 : #else
210 : e = ENGINE_get_cipher_engine(NID_aes_128_ecb);
211 :
212 : if (e) {
213 : log_info(LD_CRYPTO, "AES engine \"%s\" found; using EVP_* functions.",
214 : ENGINE_get_name(e));
215 : should_use_EVP = 1;
216 : } else {
217 : log_info(LD_CRYPTO, "No AES engine found; using AES_* functions.");
218 : should_use_EVP = 0;
219 : }
220 : #endif /* defined(DISABLE_ENGINES) */
221 :
222 : return 0;
223 : }
224 :
225 : /** Test the OpenSSL counter mode implementation to see whether it has the
226 : * counter-mode bug from OpenSSL 1.0.0. If the implementation works, then
227 : * we will use it for future encryption/decryption operations.
228 : *
229 : * We can't just look at the OpenSSL version, since some distributions update
230 : * their OpenSSL packages without changing the version number.
231 : **/
232 : int
233 : evaluate_ctr_for_aes(void)
234 : {
235 : /* Result of encrypting an all-zero block with an all-zero 128-bit AES key.
236 : * This should be the same as encrypting an all-zero block with an all-zero
237 : * 128-bit AES key in counter mode, starting at position 0 of the stream.
238 : */
239 : static const unsigned char encrypt_zero[] =
240 : "\x66\xe9\x4b\xd4\xef\x8a\x2c\x3b\x88\x4c\xfa\x59\xca\x34\x2b\x2e";
241 : unsigned char zero[16];
242 : unsigned char output[16];
243 : unsigned char ivec[16];
244 : unsigned char ivec_tmp[16];
245 : unsigned int pos, i;
246 : AES_KEY key;
247 : memset(zero, 0, sizeof(zero));
248 : memset(ivec, 0, sizeof(ivec));
249 : AES_set_encrypt_key(zero, 128, &key);
250 :
251 : pos = 0;
252 : /* Encrypting a block one byte at a time should make the error manifest
253 : * itself for known bogus openssl versions. */
254 : for (i=0; i<16; ++i)
255 : AES_ctr128_encrypt(&zero[i], &output[i], 1, &key, ivec, ivec_tmp, &pos);
256 :
257 : if (fast_memneq(output, encrypt_zero, 16)) {
258 : /* Counter mode is buggy */
259 : /* LCOV_EXCL_START */
260 : log_err(LD_CRYPTO, "This OpenSSL has a buggy version of counter mode; "
261 : "quitting tor.");
262 : exit(1); // exit ok: openssl is broken.
263 : /* LCOV_EXCL_STOP */
264 : }
265 : return 0;
266 : }
267 :
268 : #if !defined(USING_COUNTER_VARS)
269 : #define COUNTER(c, n) ((c)->ctr_buf.buf32[3-(n)])
270 : #else
271 : #define COUNTER(c, n) ((c)->counter ## n)
272 : #endif
273 :
274 : static void aes_set_key(aes_cnt_cipher_t *cipher, const uint8_t *key,
275 : int key_bits);
276 : static void aes_set_iv(aes_cnt_cipher_t *cipher, const uint8_t *iv);
277 :
278 : /**
279 : * Return a newly allocated counter-mode AES128 cipher implementation,
280 : * using the 128-bit key <b>key</b> and the 128-bit IV <b>iv</b>.
281 : */
282 : aes_cnt_cipher_t*
283 : aes_new_cipher(const uint8_t *key, const uint8_t *iv, int bits)
284 : {
285 : aes_cnt_cipher_t* result = tor_malloc_zero(sizeof(aes_cnt_cipher_t));
286 :
287 : aes_set_key(result, key, bits);
288 : aes_set_iv(result, iv);
289 :
290 : return result;
291 : }
292 :
293 : /** Set the key of <b>cipher</b> to <b>key</b>, which is
294 : * <b>key_bits</b> bits long (must be 128, 192, or 256). Also resets
295 : * the counter to 0.
296 : */
297 : static void
298 : aes_set_key(aes_cnt_cipher_t *cipher, const uint8_t *key, int key_bits)
299 : {
300 : if (should_use_EVP) {
301 : const EVP_CIPHER *c = 0;
302 : switch (key_bits) {
303 : case 128: c = EVP_aes_128_ecb(); break;
304 : case 192: c = EVP_aes_192_ecb(); break;
305 : case 256: c = EVP_aes_256_ecb(); break;
306 : default: tor_assert(0); // LCOV_EXCL_LINE
307 : }
308 : EVP_EncryptInit(&cipher->key.evp, c, key, NULL);
309 : cipher->using_evp = 1;
310 : } else {
311 : AES_set_encrypt_key(key, key_bits,&cipher->key.aes);
312 : cipher->using_evp = 0;
313 : }
314 :
315 : #ifdef USING_COUNTER_VARS
316 : cipher->counter0 = 0;
317 : cipher->counter1 = 0;
318 : cipher->counter2 = 0;
319 : cipher->counter3 = 0;
320 : #endif /* defined(USING_COUNTER_VARS) */
321 :
322 : memset(cipher->ctr_buf.buf, 0, sizeof(cipher->ctr_buf.buf));
323 :
324 : cipher->pos = 0;
325 :
326 : memset(cipher->buf, 0, sizeof(cipher->buf));
327 : }
328 :
329 : /** Release storage held by <b>cipher</b>
330 : */
331 : void
332 : aes_cipher_free_(aes_cnt_cipher_t *cipher)
333 : {
334 : if (!cipher)
335 : return;
336 : if (cipher->using_evp) {
337 : EVP_CIPHER_CTX_cleanup(&cipher->key.evp);
338 : }
339 : memwipe(cipher, 0, sizeof(aes_cnt_cipher_t));
340 : tor_free(cipher);
341 : }
342 :
343 : #if defined(USING_COUNTER_VARS)
344 : #define UPDATE_CTR_BUF(c, n) STMT_BEGIN \
345 : (c)->ctr_buf.buf32[3-(n)] = htonl((c)->counter ## n); \
346 : STMT_END
347 : #else
348 : #define UPDATE_CTR_BUF(c, n)
349 : #endif /* defined(USING_COUNTER_VARS) */
350 :
351 : /* Helper function to use EVP with openssl's counter-mode wrapper. */
352 : static void
353 : evp_block128_fn(const uint8_t in[16],
354 : uint8_t out[16],
355 : const void *key)
356 : {
357 : EVP_CIPHER_CTX *ctx = (void*)key;
358 : int inl=16, outl=16;
359 : EVP_EncryptUpdate(ctx, out, &outl, in, inl);
360 : }
361 :
362 : /** Encrypt <b>len</b> bytes from <b>input</b>, storing the results in place.
363 : * Uses the key in <b>cipher</b>, and advances the counter by <b>len</b> bytes
364 : * as it encrypts.
365 : */
366 : void
367 : aes_crypt_inplace(aes_cnt_cipher_t *cipher, char *data, size_t len)
368 : {
369 : /* Note that the "128" below refers to the length of the counter,
370 : * not the length of the AES key. */
371 : if (cipher->using_evp) {
372 : /* In openssl 1.0.0, there's an if'd out EVP_aes_128_ctr in evp.h. If
373 : * it weren't disabled, it might be better just to use that.
374 : */
375 : CRYPTO_ctr128_encrypt((const unsigned char *)data,
376 : (unsigned char *)data,
377 : len,
378 : &cipher->key.evp,
379 : cipher->ctr_buf.buf,
380 : cipher->buf,
381 : &cipher->pos,
382 : evp_block128_fn);
383 : } else {
384 : AES_ctr128_encrypt((const unsigned char *)data,
385 : (unsigned char *)data,
386 : len,
387 : &cipher->key.aes,
388 : cipher->ctr_buf.buf,
389 : cipher->buf,
390 : &cipher->pos);
391 : }
392 : }
393 :
394 : /** Reset the 128-bit counter of <b>cipher</b> to the 16-bit big-endian value
395 : * in <b>iv</b>. */
396 : static void
397 : aes_set_iv(aes_cnt_cipher_t *cipher, const uint8_t *iv)
398 : {
399 : #ifdef USING_COUNTER_VARS
400 : cipher->counter3 = tor_ntohl(get_uint32(iv));
401 : cipher->counter2 = tor_ntohl(get_uint32(iv+4));
402 : cipher->counter1 = tor_ntohl(get_uint32(iv+8));
403 : cipher->counter0 = tor_ntohl(get_uint32(iv+12));
404 : #endif /* defined(USING_COUNTER_VARS) */
405 : cipher->pos = 0;
406 : memcpy(cipher->ctr_buf.buf, iv, 16);
407 : }
408 :
409 : #endif /* defined(USE_EVP_AES_CTR) */
|
