Tor  0.4.4.0-alpha-dev
aes_openssl.c
Go to the documentation of this file.
1 /* Copyright (c) 2001, Matej Pfajfar.
2  * Copyright (c) 2001-2004, Roger Dingledine.
3  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4  * Copyright (c) 2007-2020, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
6 
7 /**
8  * \file aes_openssl.c
9  * \brief Use OpenSSL to implement AES_CTR.
10  **/
11 
12 #include "orconfig.h"
13 #include "lib/crypt_ops/aes.h"
15 #include "lib/log/util_bug.h"
16 #include "lib/arch/bytes.h"
17 
18 #ifdef _WIN32 /*wrkard for dtls1.h >= 0.9.8m of "#include <winsock.h>"*/
19  #include <winsock2.h>
20  #include <ws2tcpip.h>
21 #endif
22 
23 #include "lib/crypt_ops/compat_openssl.h"
24 #include <openssl/opensslv.h>
26 
27 #if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,0,0)
28 #error "We require OpenSSL >= 1.0.0"
29 #endif
30 
31 DISABLE_GCC_WARNING("-Wredundant-decls")
32 
33 #include <stdlib.h>
34 #include <string.h>
35 #include <openssl/aes.h>
36 #include <openssl/evp.h>
37 #include <openssl/engine.h>
38 #include <openssl/modes.h>
39 
40 ENABLE_GCC_WARNING("-Wredundant-decls")
41 
42 #include "lib/log/log.h"
43 #include "lib/ctime/di_ops.h"
44 
45 #ifdef OPENSSL_NO_ENGINE
46 /* Android's OpenSSL seems to have removed all of its Engine support. */
47 #define DISABLE_ENGINES
48 #endif
49 
50 /* We have five strategies for implementing AES counter mode.
51  *
52  * Best with x86 and x86_64: Use EVP_aes_*_ctr() and EVP_EncryptUpdate().
53  * This is possible with OpenSSL 1.0.1, where the counter-mode implementation
54  * can use bit-sliced or vectorized AES or AESNI as appropriate.
55  *
56  * Otherwise: Pick the best possible AES block implementation that OpenSSL
57  * gives us, and the best possible counter-mode implementation, and combine
58  * them.
59  */
60 #if OPENSSL_VERSION_NUMBER >= OPENSSL_V_NOPATCH(1,1,0)
61 
62 /* With newer OpenSSL versions, the older fallback modes don't compile. So
63  * don't use them, even if we lack specific acceleration. */
64 
65 #define USE_EVP_AES_CTR
66 
67 #elif OPENSSL_VERSION_NUMBER >= OPENSSL_V_NOPATCH(1,0,1) && \
68  (defined(__i386) || defined(__i386__) || defined(_M_IX86) || \
69  defined(__x86_64) || defined(__x86_64__) || \
70  defined(_M_AMD64) || defined(_M_X64) || defined(__INTEL__))
71 
72 #define USE_EVP_AES_CTR
73 
74 #endif /* OPENSSL_VERSION_NUMBER >= OPENSSL_V_NOPATCH(1,1,0) || ... */
75 
76 /* We have 2 strategies for getting the AES block cipher: Via OpenSSL's
77  * AES_encrypt function, or via OpenSSL's EVP_EncryptUpdate function.
78  *
79  * If there's any hardware acceleration in play, we want to be using EVP_* so
80  * we can get it. Otherwise, we'll want AES_*, which seems to be about 5%
81  * faster than indirecting through the EVP layer.
82  */
83 
84 /* We have 2 strategies for getting a plug-in counter mode: use our own, or
85  * use OpenSSL's.
86  *
87  * Here we have a counter mode that's faster than the one shipping with
88  * OpenSSL pre-1.0 (by about 10%!). But OpenSSL 1.0.0 added a counter mode
89  * implementation faster than the one here (by about 7%). So we pick which
90  * one to used based on the Openssl version above. (OpenSSL 1.0.0a fixed a
91  * critical bug in that counter mode implementation, so we need to test to
92  * make sure that we have a fixed version.)
93  */
94 
95 #ifdef USE_EVP_AES_CTR
96 
97 /* We don't actually define the struct here. */
98 
99 aes_cnt_cipher_t *
100 aes_new_cipher(const uint8_t *key, const uint8_t *iv, int key_bits)
101 {
102  EVP_CIPHER_CTX *cipher = EVP_CIPHER_CTX_new();
103  const EVP_CIPHER *c = NULL;
104  switch (key_bits) {
105  case 128: c = EVP_aes_128_ctr(); break;
106  case 192: c = EVP_aes_192_ctr(); break;
107  case 256: c = EVP_aes_256_ctr(); break;
108  default: tor_assert_unreached(); // LCOV_EXCL_LINE
109  }
110  EVP_EncryptInit(cipher, c, key, iv);
111  return (aes_cnt_cipher_t *) cipher;
112 }
113 void
114 aes_cipher_free_(aes_cnt_cipher_t *cipher_)
115 {
116  if (!cipher_)
117  return;
118  EVP_CIPHER_CTX *cipher = (EVP_CIPHER_CTX *) cipher_;
119 #ifdef OPENSSL_1_1_API
120  EVP_CIPHER_CTX_reset(cipher);
121 #else
122  EVP_CIPHER_CTX_cleanup(cipher);
123 #endif
124  EVP_CIPHER_CTX_free(cipher);
125 }
126 void
127 aes_crypt_inplace(aes_cnt_cipher_t *cipher_, char *data, size_t len)
128 {
129  int outl;
130  EVP_CIPHER_CTX *cipher = (EVP_CIPHER_CTX *) cipher_;
131 
132  tor_assert(len < INT_MAX);
133 
134  EVP_EncryptUpdate(cipher, (unsigned char*)data,
135  &outl, (unsigned char*)data, (int)len);
136 }
137 int
138 evaluate_evp_for_aes(int force_val)
139 {
140  (void) force_val;
141  log_info(LD_CRYPTO, "This version of OpenSSL has a known-good EVP "
142  "counter-mode implementation. Using it.");
143  return 0;
144 }
145 int
146 evaluate_ctr_for_aes(void)
147 {
148  return 0;
149 }
150 #else /* !defined(USE_EVP_AES_CTR) */
151 
152 /*======================================================================*/
153 /* Interface to AES code, and counter implementation */
154 
155 /** Implements an AES counter-mode cipher. */
156 struct aes_cnt_cipher_t {
157 /** This next element (however it's defined) is the AES key. */
158  union {
159  EVP_CIPHER_CTX evp;
160  AES_KEY aes;
161  } key;
162 
163 #if !defined(WORDS_BIGENDIAN)
164 #define USING_COUNTER_VARS
165  /** These four values, together, implement a 128-bit counter, with
166  * counter0 as the low-order word and counter3 as the high-order word. */
167  uint32_t counter3;
168  uint32_t counter2;
169  uint32_t counter1;
170  uint32_t counter0;
171 #endif /* !defined(WORDS_BIGENDIAN) */
172 
173  union {
174  /** The counter, in big-endian order, as bytes. */
175  uint8_t buf[16];
176  /** The counter, in big-endian order, as big-endian words. Note that
177  * on big-endian platforms, this is redundant with counter3...0,
178  * so we just use these values instead. */
179  uint32_t buf32[4];
180  } ctr_buf;
181 
182  /** The encrypted value of ctr_buf. */
183  uint8_t buf[16];
184  /** Our current stream position within buf. */
185  unsigned int pos;
186 
187  /** True iff we're using the evp implementation of this cipher. */
188  uint8_t using_evp;
189 };
190 
191 /** True iff we should prefer the EVP implementation for AES, either because
192  * we're testing it or because we have hardware acceleration configured */
193 static int should_use_EVP = 0;
194 
195 /** Check whether we should use the EVP interface for AES. If <b>force_val</b>
196  * is nonnegative, we use use EVP iff it is true. Otherwise, we use EVP
197  * if there is an engine enabled for aes-ecb. */
198 int
199 evaluate_evp_for_aes(int force_val)
200 {
201  ENGINE *e;
202 
203  if (force_val >= 0) {
204  should_use_EVP = force_val;
205  return 0;
206  }
207 #ifdef DISABLE_ENGINES
208  should_use_EVP = 0;
209 #else
210  e = ENGINE_get_cipher_engine(NID_aes_128_ecb);
211 
212  if (e) {
213  log_info(LD_CRYPTO, "AES engine \"%s\" found; using EVP_* functions.",
214  ENGINE_get_name(e));
215  should_use_EVP = 1;
216  } else {
217  log_info(LD_CRYPTO, "No AES engine found; using AES_* functions.");
218  should_use_EVP = 0;
219  }
220 #endif /* defined(DISABLE_ENGINES) */
221 
222  return 0;
223 }
224 
225 /** Test the OpenSSL counter mode implementation to see whether it has the
226  * counter-mode bug from OpenSSL 1.0.0. If the implementation works, then
227  * we will use it for future encryption/decryption operations.
228  *
229  * We can't just look at the OpenSSL version, since some distributions update
230  * their OpenSSL packages without changing the version number.
231  **/
232 int
233 evaluate_ctr_for_aes(void)
234 {
235  /* Result of encrypting an all-zero block with an all-zero 128-bit AES key.
236  * This should be the same as encrypting an all-zero block with an all-zero
237  * 128-bit AES key in counter mode, starting at position 0 of the stream.
238  */
239  static const unsigned char encrypt_zero[] =
240  "\x66\xe9\x4b\xd4\xef\x8a\x2c\x3b\x88\x4c\xfa\x59\xca\x34\x2b\x2e";
241  unsigned char zero[16];
242  unsigned char output[16];
243  unsigned char ivec[16];
244  unsigned char ivec_tmp[16];
245  unsigned int pos, i;
246  AES_KEY key;
247  memset(zero, 0, sizeof(zero));
248  memset(ivec, 0, sizeof(ivec));
249  AES_set_encrypt_key(zero, 128, &key);
250 
251  pos = 0;
252  /* Encrypting a block one byte at a time should make the error manifest
253  * itself for known bogus openssl versions. */
254  for (i=0; i<16; ++i)
255  AES_ctr128_encrypt(&zero[i], &output[i], 1, &key, ivec, ivec_tmp, &pos);
256 
257  if (fast_memneq(output, encrypt_zero, 16)) {
258  /* Counter mode is buggy */
259  /* LCOV_EXCL_START */
260  log_err(LD_CRYPTO, "This OpenSSL has a buggy version of counter mode; "
261  "quitting tor.");
262  exit(1); // exit ok: openssl is broken.
263  /* LCOV_EXCL_STOP */
264  }
265  return 0;
266 }
267 
268 #if !defined(USING_COUNTER_VARS)
269 #define COUNTER(c, n) ((c)->ctr_buf.buf32[3-(n)])
270 #else
271 #define COUNTER(c, n) ((c)->counter ## n)
272 #endif
273 
274 static void aes_set_key(aes_cnt_cipher_t *cipher, const uint8_t *key,
275  int key_bits);
276 static void aes_set_iv(aes_cnt_cipher_t *cipher, const uint8_t *iv);
277 
278 /**
279  * Return a newly allocated counter-mode AES128 cipher implementation,
280  * using the 128-bit key <b>key</b> and the 128-bit IV <b>iv</b>.
281  */
282 aes_cnt_cipher_t*
283 aes_new_cipher(const uint8_t *key, const uint8_t *iv, int bits)
284 {
285  aes_cnt_cipher_t* result = tor_malloc_zero(sizeof(aes_cnt_cipher_t));
286 
287  aes_set_key(result, key, bits);
288  aes_set_iv(result, iv);
289 
290  return result;
291 }
292 
293 /** Set the key of <b>cipher</b> to <b>key</b>, which is
294  * <b>key_bits</b> bits long (must be 128, 192, or 256). Also resets
295  * the counter to 0.
296  */
297 static void
298 aes_set_key(aes_cnt_cipher_t *cipher, const uint8_t *key, int key_bits)
299 {
300  if (should_use_EVP) {
301  const EVP_CIPHER *c = 0;
302  switch (key_bits) {
303  case 128: c = EVP_aes_128_ecb(); break;
304  case 192: c = EVP_aes_192_ecb(); break;
305  case 256: c = EVP_aes_256_ecb(); break;
306  default: tor_assert(0); // LCOV_EXCL_LINE
307  }
308  EVP_EncryptInit(&cipher->key.evp, c, key, NULL);
309  cipher->using_evp = 1;
310  } else {
311  AES_set_encrypt_key(key, key_bits,&cipher->key.aes);
312  cipher->using_evp = 0;
313  }
314 
315 #ifdef USING_COUNTER_VARS
316  cipher->counter0 = 0;
317  cipher->counter1 = 0;
318  cipher->counter2 = 0;
319  cipher->counter3 = 0;
320 #endif /* defined(USING_COUNTER_VARS) */
321 
322  memset(cipher->ctr_buf.buf, 0, sizeof(cipher->ctr_buf.buf));
323 
324  cipher->pos = 0;
325 
326  memset(cipher->buf, 0, sizeof(cipher->buf));
327 }
328 
329 /** Release storage held by <b>cipher</b>
330  */
331 void
332 aes_cipher_free_(aes_cnt_cipher_t *cipher)
333 {
334  if (!cipher)
335  return;
336  if (cipher->using_evp) {
337  EVP_CIPHER_CTX_cleanup(&cipher->key.evp);
338  }
339  memwipe(cipher, 0, sizeof(aes_cnt_cipher_t));
340  tor_free(cipher);
341 }
342 
343 #if defined(USING_COUNTER_VARS)
344 #define UPDATE_CTR_BUF(c, n) STMT_BEGIN \
345  (c)->ctr_buf.buf32[3-(n)] = htonl((c)->counter ## n); \
346  STMT_END
347 #else
348 #define UPDATE_CTR_BUF(c, n)
349 #endif /* defined(USING_COUNTER_VARS) */
350 
351 /* Helper function to use EVP with openssl's counter-mode wrapper. */
352 static void
353 evp_block128_fn(const uint8_t in[16],
354  uint8_t out[16],
355  const void *key)
356 {
357  EVP_CIPHER_CTX *ctx = (void*)key;
358  int inl=16, outl=16;
359  EVP_EncryptUpdate(ctx, out, &outl, in, inl);
360 }
361 
362 /** Encrypt <b>len</b> bytes from <b>input</b>, storing the results in place.
363  * Uses the key in <b>cipher</b>, and advances the counter by <b>len</b> bytes
364  * as it encrypts.
365  */
366 void
367 aes_crypt_inplace(aes_cnt_cipher_t *cipher, char *data, size_t len)
368 {
369  /* Note that the "128" below refers to the length of the counter,
370  * not the length of the AES key. */
371  if (cipher->using_evp) {
372  /* In openssl 1.0.0, there's an if'd out EVP_aes_128_ctr in evp.h. If
373  * it weren't disabled, it might be better just to use that.
374  */
375  CRYPTO_ctr128_encrypt((const unsigned char *)data,
376  (unsigned char *)data,
377  len,
378  &cipher->key.evp,
379  cipher->ctr_buf.buf,
380  cipher->buf,
381  &cipher->pos,
382  evp_block128_fn);
383  } else {
384  AES_ctr128_encrypt((const unsigned char *)data,
385  (unsigned char *)data,
386  len,
387  &cipher->key.aes,
388  cipher->ctr_buf.buf,
389  cipher->buf,
390  &cipher->pos);
391  }
392 }
393 
394 /** Reset the 128-bit counter of <b>cipher</b> to the 16-bit big-endian value
395  * in <b>iv</b>. */
396 static void
397 aes_set_iv(aes_cnt_cipher_t *cipher, const uint8_t *iv)
398 {
399 #ifdef USING_COUNTER_VARS
400  cipher->counter3 = tor_ntohl(get_uint32(iv));
401  cipher->counter2 = tor_ntohl(get_uint32(iv+4));
402  cipher->counter1 = tor_ntohl(get_uint32(iv+8));
403  cipher->counter0 = tor_ntohl(get_uint32(iv+12));
404 #endif /* defined(USING_COUNTER_VARS) */
405  cipher->pos = 0;
406  memcpy(cipher->ctr_buf.buf, iv, 16);
407 }
408 
409 #endif /* defined(USE_EVP_AES_CTR) */
Headers for di_ops.c.
Headers for crypto_openssl_mgt.c.
#define tor_assert(expr)
Definition: util_bug.h:102
#define tor_free(p)
Definition: malloc.h:52
void memwipe(void *mem, uint8_t byte, size_t sz)
Definition: crypto_util.c:55
static uint32_t get_uint32(const void *cp)
Definition: bytes.h:54
Common functions for cryptographic routines.
Headers for aes.c.
#define fast_memneq(a, b, c)
Definition: di_ops.h:42
static uint32_t tor_ntohl(uint32_t a)
Definition: bytes.h:177
Inline functions for reading and writing multibyte values from the middle of strings,...
#define LD_CRYPTO
Definition: log.h:64
Macros to manage assertions, fatal and non-fatal.