tor  0.4.2.1-alpha-dev
aes_openssl.c
Go to the documentation of this file.
1 /* Copyright (c) 2001, Matej Pfajfar.
2  * Copyright (c) 2001-2004, Roger Dingledine.
3  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4  * Copyright (c) 2007-2019, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
6 
12 #include "orconfig.h"
13 #include "lib/crypt_ops/aes.h"
15 #include "lib/log/util_bug.h"
16 #include "lib/arch/bytes.h"
17 
18 #ifdef _WIN32 /*wrkard for dtls1.h >= 0.9.8m of "#include <winsock.h>"*/
19  #include <winsock2.h>
20  #include <ws2tcpip.h>
21 #endif
22 
23 #include "lib/crypt_ops/compat_openssl.h"
24 #include <openssl/opensslv.h>
26 
27 #if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,0,0)
28 #error "We require OpenSSL >= 1.0.0"
29 #endif
30 
31 DISABLE_GCC_WARNING(redundant-decls)
32 
33 #include <stdlib.h>
34 #include <string.h>
35 #include <openssl/aes.h>
36 #include <openssl/evp.h>
37 #include <openssl/engine.h>
38 #include <openssl/modes.h>
39 
40 ENABLE_GCC_WARNING(redundant-decls)
41 
42 #include "lib/crypt_ops/aes.h"
43 #include "lib/log/log.h"
44 #include "lib/ctime/di_ops.h"
45 
46 #ifdef OPENSSL_NO_ENGINE
47 /* Android's OpenSSL seems to have removed all of its Engine support. */
48 #define DISABLE_ENGINES
49 #endif
50 
51 /* We have five strategies for implementing AES counter mode.
52  *
53  * Best with x86 and x86_64: Use EVP_aes_*_ctr() and EVP_EncryptUpdate().
54  * This is possible with OpenSSL 1.0.1, where the counter-mode implementation
55  * can use bit-sliced or vectorized AES or AESNI as appropriate.
56  *
57  * Otherwise: Pick the best possible AES block implementation that OpenSSL
58  * gives us, and the best possible counter-mode implementation, and combine
59  * them.
60  */
61 #if OPENSSL_VERSION_NUMBER >= OPENSSL_V_NOPATCH(1,1,0)
62 
63 /* With newer OpenSSL versions, the older fallback modes don't compile. So
64  * don't use them, even if we lack specific acceleration. */
65 
66 #define USE_EVP_AES_CTR
67 
68 #elif OPENSSL_VERSION_NUMBER >= OPENSSL_V_NOPATCH(1,0,1) && \
69  (defined(__i386) || defined(__i386__) || defined(_M_IX86) || \
70  defined(__x86_64) || defined(__x86_64__) || \
71  defined(_M_AMD64) || defined(_M_X64) || defined(__INTEL__))
72 
73 #define USE_EVP_AES_CTR
74 
75 #endif /* OPENSSL_VERSION_NUMBER >= OPENSSL_V_NOPATCH(1,1,0) || ... */
76 
77 /* We have 2 strategies for getting the AES block cipher: Via OpenSSL's
78  * AES_encrypt function, or via OpenSSL's EVP_EncryptUpdate function.
79  *
80  * If there's any hardware acceleration in play, we want to be using EVP_* so
81  * we can get it. Otherwise, we'll want AES_*, which seems to be about 5%
82  * faster than indirecting through the EVP layer.
83  */
84 
85 /* We have 2 strategies for getting a plug-in counter mode: use our own, or
86  * use OpenSSL's.
87  *
88  * Here we have a counter mode that's faster than the one shipping with
89  * OpenSSL pre-1.0 (by about 10%!). But OpenSSL 1.0.0 added a counter mode
90  * implementation faster than the one here (by about 7%). So we pick which
91  * one to used based on the Openssl version above. (OpenSSL 1.0.0a fixed a
92  * critical bug in that counter mode implementation, so we need to test to
93  * make sure that we have a fixed version.)
94  */
95 
96 #ifdef USE_EVP_AES_CTR
97 
98 /* We don't actually define the struct here. */
99 
100 aes_cnt_cipher_t *
101 aes_new_cipher(const uint8_t *key, const uint8_t *iv, int key_bits)
102 {
103  EVP_CIPHER_CTX *cipher = EVP_CIPHER_CTX_new();
104  const EVP_CIPHER *c = NULL;
105  switch (key_bits) {
106  case 128: c = EVP_aes_128_ctr(); break;
107  case 192: c = EVP_aes_192_ctr(); break;
108  case 256: c = EVP_aes_256_ctr(); break;
109  default: tor_assert_unreached(); // LCOV_EXCL_LINE
110  }
111  EVP_EncryptInit(cipher, c, key, iv);
112  return (aes_cnt_cipher_t *) cipher;
113 }
114 void
115 aes_cipher_free_(aes_cnt_cipher_t *cipher_)
116 {
117  if (!cipher_)
118  return;
119  EVP_CIPHER_CTX *cipher = (EVP_CIPHER_CTX *) cipher_;
120 #ifdef OPENSSL_1_1_API
121  EVP_CIPHER_CTX_reset(cipher);
122 #else
123  EVP_CIPHER_CTX_cleanup(cipher);
124 #endif
125  EVP_CIPHER_CTX_free(cipher);
126 }
127 void
128 aes_crypt_inplace(aes_cnt_cipher_t *cipher_, char *data, size_t len)
129 {
130  int outl;
131  EVP_CIPHER_CTX *cipher = (EVP_CIPHER_CTX *) cipher_;
132 
133  tor_assert(len < INT_MAX);
134 
135  EVP_EncryptUpdate(cipher, (unsigned char*)data,
136  &outl, (unsigned char*)data, (int)len);
137 }
138 int
139 evaluate_evp_for_aes(int force_val)
140 {
141  (void) force_val;
142  log_info(LD_CRYPTO, "This version of OpenSSL has a known-good EVP "
143  "counter-mode implementation. Using it.");
144  return 0;
145 }
146 int
147 evaluate_ctr_for_aes(void)
148 {
149  return 0;
150 }
151 #else /* !(defined(USE_EVP_AES_CTR)) */
152 
153 /*======================================================================*/
154 /* Interface to AES code, and counter implementation */
155 
157 struct aes_cnt_cipher {
159  union {
160  EVP_CIPHER_CTX evp;
161  AES_KEY aes;
162  } key;
163 
164 #if !defined(WORDS_BIGENDIAN)
165 #define USING_COUNTER_VARS
166 
168  uint32_t counter3;
169  uint32_t counter2;
170  uint32_t counter1;
171  uint32_t counter0;
172 #endif /* !defined(WORDS_BIGENDIAN) */
173 
174  union {
176  uint8_t buf[16];
180  uint32_t buf32[4];
181  } ctr_buf;
182 
184  uint8_t buf[16];
186  unsigned int pos;
187 
189  uint8_t using_evp;
190 };
191 
194 static int should_use_EVP = 0;
195 
199 int
200 evaluate_evp_for_aes(int force_val)
201 {
202  ENGINE *e;
203 
204  if (force_val >= 0) {
205  should_use_EVP = force_val;
206  return 0;
207  }
208 #ifdef DISABLE_ENGINES
209  should_use_EVP = 0;
210 #else
211  e = ENGINE_get_cipher_engine(NID_aes_128_ecb);
212 
213  if (e) {
214  log_info(LD_CRYPTO, "AES engine \"%s\" found; using EVP_* functions.",
215  ENGINE_get_name(e));
216  should_use_EVP = 1;
217  } else {
218  log_info(LD_CRYPTO, "No AES engine found; using AES_* functions.");
219  should_use_EVP = 0;
220  }
221 #endif /* defined(DISABLE_ENGINES) */
222 
223  return 0;
224 }
225 
233 int
234 evaluate_ctr_for_aes(void)
235 {
236  /* Result of encrypting an all-zero block with an all-zero 128-bit AES key.
237  * This should be the same as encrypting an all-zero block with an all-zero
238  * 128-bit AES key in counter mode, starting at position 0 of the stream.
239  */
240  static const unsigned char encrypt_zero[] =
241  "\x66\xe9\x4b\xd4\xef\x8a\x2c\x3b\x88\x4c\xfa\x59\xca\x34\x2b\x2e";
242  unsigned char zero[16];
243  unsigned char output[16];
244  unsigned char ivec[16];
245  unsigned char ivec_tmp[16];
246  unsigned int pos, i;
247  AES_KEY key;
248  memset(zero, 0, sizeof(zero));
249  memset(ivec, 0, sizeof(ivec));
250  AES_set_encrypt_key(zero, 128, &key);
251 
252  pos = 0;
253  /* Encrypting a block one byte at a time should make the error manifest
254  * itself for known bogus openssl versions. */
255  for (i=0; i<16; ++i)
256  AES_ctr128_encrypt(&zero[i], &output[i], 1, &key, ivec, ivec_tmp, &pos);
257 
258  if (fast_memneq(output, encrypt_zero, 16)) {
259  /* Counter mode is buggy */
260  /* LCOV_EXCL_START */
261  log_err(LD_CRYPTO, "This OpenSSL has a buggy version of counter mode; "
262  "quitting tor.");
263  exit(1); // exit ok: openssl is broken.
264  /* LCOV_EXCL_STOP */
265  }
266  return 0;
267 }
268 
269 #if !defined(USING_COUNTER_VARS)
270 #define COUNTER(c, n) ((c)->ctr_buf.buf32[3-(n)])
271 #else
272 #define COUNTER(c, n) ((c)->counter ## n)
273 #endif
274 
275 static void aes_set_key(aes_cnt_cipher_t *cipher, const uint8_t *key,
276  int key_bits);
277 static void aes_set_iv(aes_cnt_cipher_t *cipher, const uint8_t *iv);
278 
283 aes_cnt_cipher_t*
284 aes_new_cipher(const uint8_t *key, const uint8_t *iv, int bits)
285 {
286  aes_cnt_cipher_t* result = tor_malloc_zero(sizeof(aes_cnt_cipher_t));
287 
288  aes_set_key(result, key, bits);
289  aes_set_iv(result, iv);
290 
291  return result;
292 }
293 
298 static void
299 aes_set_key(aes_cnt_cipher_t *cipher, const uint8_t *key, int key_bits)
300 {
301  if (should_use_EVP) {
302  const EVP_CIPHER *c = 0;
303  switch (key_bits) {
304  case 128: c = EVP_aes_128_ecb(); break;
305  case 192: c = EVP_aes_192_ecb(); break;
306  case 256: c = EVP_aes_256_ecb(); break;
307  default: tor_assert(0); // LCOV_EXCL_LINE
308  }
309  EVP_EncryptInit(&cipher->key.evp, c, key, NULL);
310  cipher->using_evp = 1;
311  } else {
312  AES_set_encrypt_key(key, key_bits,&cipher->key.aes);
313  cipher->using_evp = 0;
314  }
315 
316 #ifdef USING_COUNTER_VARS
317  cipher->counter0 = 0;
318  cipher->counter1 = 0;
319  cipher->counter2 = 0;
320  cipher->counter3 = 0;
321 #endif /* defined(USING_COUNTER_VARS) */
322 
323  memset(cipher->ctr_buf.buf, 0, sizeof(cipher->ctr_buf.buf));
324 
325  cipher->pos = 0;
326 
327  memset(cipher->buf, 0, sizeof(cipher->buf));
328 }
329 
332 void
333 aes_cipher_free_(aes_cnt_cipher_t *cipher)
334 {
335  if (!cipher)
336  return;
337  if (cipher->using_evp) {
338  EVP_CIPHER_CTX_cleanup(&cipher->key.evp);
339  }
340  memwipe(cipher, 0, sizeof(aes_cnt_cipher_t));
341  tor_free(cipher);
342 }
343 
344 #if defined(USING_COUNTER_VARS)
345 #define UPDATE_CTR_BUF(c, n) STMT_BEGIN \
346  (c)->ctr_buf.buf32[3-(n)] = htonl((c)->counter ## n); \
347  STMT_END
348 #else
349 #define UPDATE_CTR_BUF(c, n)
350 #endif /* defined(USING_COUNTER_VARS) */
351 
352 /* Helper function to use EVP with openssl's counter-mode wrapper. */
353 static void
354 evp_block128_fn(const uint8_t in[16],
355  uint8_t out[16],
356  const void *key)
357 {
358  EVP_CIPHER_CTX *ctx = (void*)key;
359  int inl=16, outl=16;
360  EVP_EncryptUpdate(ctx, out, &outl, in, inl);
361 }
362 
367 void
368 aes_crypt_inplace(aes_cnt_cipher_t *cipher, char *data, size_t len)
369 {
370  /* Note that the "128" below refers to the length of the counter,
371  * not the length of the AES key. */
372  if (cipher->using_evp) {
373  /* In openssl 1.0.0, there's an if'd out EVP_aes_128_ctr in evp.h. If
374  * it weren't disabled, it might be better just to use that.
375  */
376  CRYPTO_ctr128_encrypt((const unsigned char *)data,
377  (unsigned char *)data,
378  len,
379  &cipher->key.evp,
380  cipher->ctr_buf.buf,
381  cipher->buf,
382  &cipher->pos,
383  evp_block128_fn);
384  } else {
385  AES_ctr128_encrypt((const unsigned char *)data,
386  (unsigned char *)data,
387  len,
388  &cipher->key.aes,
389  cipher->ctr_buf.buf,
390  cipher->buf,
391  &cipher->pos);
392  }
393 }
394 
397 static void
398 aes_set_iv(aes_cnt_cipher_t *cipher, const uint8_t *iv)
399 {
400 #ifdef USING_COUNTER_VARS
401  cipher->counter3 = tor_ntohl(get_uint32(iv));
402  cipher->counter2 = tor_ntohl(get_uint32(iv+4));
403  cipher->counter1 = tor_ntohl(get_uint32(iv+8));
404  cipher->counter0 = tor_ntohl(get_uint32(iv+12));
405 #endif /* defined(USING_COUNTER_VARS) */
406  cipher->pos = 0;
407  memcpy(cipher->ctr_buf.buf, iv, 16);
408 }
409 
410 #endif /* defined(USE_EVP_AES_CTR) */
Headers for di_ops.c.
Headers for crypto_openssl_mgt.c.
#define tor_free(p)
Definition: malloc.h:52
void memwipe(void *mem, uint8_t byte, size_t sz)
Definition: crypto_util.c:57
static uint32_t get_uint32(const void *cp)
Definition: bytes.h:49
Common functions for cryptographic routines.
tor_assert(buffer)
Headers for aes.c.
Inline functions for reading and writing multibyte values from the middle of strings,...
Headers for log.c.
#define LD_CRYPTO
Definition: log.h:62
Macros to manage assertions, fatal and non-fatal.