aes.c 11.6 KB
Newer Older
1
/* Copyright (c) 2001, Matej Pfajfar.
Roger Dingledine's avatar
Roger Dingledine committed
2
 * Copyright (c) 2001-2004, Roger Dingledine.
3
 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
Nick Mathewson's avatar
Nick Mathewson committed
4
 * Copyright (c) 2007-2016, The Tor Project, Inc. */
5
6
/* See LICENSE for licensing information */

Nick Mathewson's avatar
Nick Mathewson committed
7
8
/**
 * \file aes.c
9
 * \brief Implements a counter-mode stream cipher on top of AES.
Nick Mathewson's avatar
Nick Mathewson committed
10
 **/
11

12
#include "orconfig.h"
13
14

#ifdef _WIN32 /*wrkard for dtls1.h >= 0.9.8m of "#include <winsock.h>"*/
Nick Mathewson's avatar
Nick Mathewson committed
15
16
  #include <winsock2.h>
  #include <ws2tcpip.h>
17
18
#endif

19
#include <openssl/opensslv.h>
20
21
22
23
24
25
#include "crypto.h"

#if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,0,0)
#error "We require OpenSSL >= 1.0.0"
#endif

26
DISABLE_GCC_WARNING(redundant-decls)
27

28
29
30
#include <assert.h>
#include <stdlib.h>
#include <string.h>
31
32
33
#include <openssl/aes.h>
#include <openssl/evp.h>
#include <openssl/engine.h>
34
#include <openssl/modes.h>
35

36
ENABLE_GCC_WARNING(redundant-decls)
37

38
#include "compat.h"
39
#include "aes.h"
40
#include "util.h"
Nick Mathewson's avatar
Nick Mathewson committed
41
#include "torlog.h"
42
#include "di_ops.h"
43

44
45
46
#ifdef ANDROID
/* Android's OpenSSL seems to have removed all of its Engine support. */
#define DISABLE_ENGINES
47
#endif
48

49
50
/* We have five strategies for implementing AES counter mode.
 *
51
 * Best with x86 and x86_64: Use EVP_aes_*_ctr() and EVP_EncryptUpdate().
52
53
54
55
56
57
58
 * This is possible with OpenSSL 1.0.1, where the counter-mode implementation
 * can use bit-sliced or vectorized AES or AESNI as appropriate.
 *
 * Otherwise: Pick the best possible AES block implementation that OpenSSL
 * gives us, and the best possible counter-mode implementation, and combine
 * them.
 */
59
60
61
62
63
64
65
66
#if OPENSSL_VERSION_NUMBER >= OPENSSL_V_NOPATCH(1,1,0)

/* With newer OpenSSL versions, the older fallback modes don't compile.  So
 * don't use them, even if we lack specific acceleration. */

#define USE_EVP_AES_CTR

#elif OPENSSL_VERSION_NUMBER >= OPENSSL_V_NOPATCH(1,0,1) &&               \
67
68
69
70
71
72
73
74
75
76
  (defined(__i386) || defined(__i386__) || defined(_M_IX86) ||          \
   defined(__x86_64) || defined(__x86_64__) ||                          \
   defined(_M_AMD64) || defined(_M_X64) || defined(__INTEL__))          \

#define USE_EVP_AES_CTR

#endif

/* We have 2 strategies for getting the AES block cipher: Via OpenSSL's
 * AES_encrypt function, or via OpenSSL's EVP_EncryptUpdate function.
77
78
79
80
81
82
 *
 * If there's any hardware acceleration in play, we want to be using EVP_* so
 * we can get it.  Otherwise, we'll want AES_*, which seems to be about 5%
 * faster than indirecting through the EVP layer.
 */

83
84
/* We have 2 strategies for getting a plug-in counter mode: use our own, or
 * use OpenSSL's.
85
86
87
88
 *
 * Here we have a counter mode that's faster than the one shipping with
 * OpenSSL pre-1.0 (by about 10%!).  But OpenSSL 1.0.0 added a counter mode
 * implementation faster than the one here (by about 7%).  So we pick which
89
 * one to used based on the Openssl version above.  (OpenSSL 1.0.0a fixed a
90
91
 * critical bug in that counter mode implementation, so we need to test to
 * make sure that we have a fixed version.)
92
 */
93

94
95
#ifdef USE_EVP_AES_CTR

96
/* We don't actually define the struct here. */
97
98

aes_cnt_cipher_t *
99
aes_new_cipher(const uint8_t *key, const uint8_t *iv, int key_bits)
100
{
101
  EVP_CIPHER_CTX *cipher = EVP_CIPHER_CTX_new();
102
  const EVP_CIPHER *c = NULL;
103
104
105
106
  switch (key_bits) {
    case 128: c = EVP_aes_128_ctr(); break;
    case 192: c = EVP_aes_192_ctr(); break;
    case 256: c = EVP_aes_256_ctr(); break;
107
    default: tor_assert_unreached(); // LCOV_EXCL_LINE
108
109
  }
  EVP_EncryptInit(cipher, c, key, iv);
110
  return (aes_cnt_cipher_t *) cipher;
111
112
}
void
113
aes_cipher_free(aes_cnt_cipher_t *cipher_)
114
{
115
  if (!cipher_)
116
    return;
117
118
119
  EVP_CIPHER_CTX *cipher = (EVP_CIPHER_CTX *) cipher_;
  EVP_CIPHER_CTX_cleanup(cipher);
  EVP_CIPHER_CTX_free(cipher);
120
121
}
void
122
aes_crypt_inplace(aes_cnt_cipher_t *cipher_, char *data, size_t len)
123
124
{
  int outl;
125
  EVP_CIPHER_CTX *cipher = (EVP_CIPHER_CTX *) cipher_;
126
127
128

  tor_assert(len < INT_MAX);

129
  EVP_EncryptUpdate(cipher, (unsigned char*)data,
130
131
132
133
134
135
                    &outl, (unsigned char*)data, (int)len);
}
int
evaluate_evp_for_aes(int force_val)
{
  (void) force_val;
136
137
  log_info(LD_CRYPTO, "This version of OpenSSL has a known-good EVP "
           "counter-mode implementation. Using it.");
138
139
140
141
142
143
144
145
146
  return 0;
}
int
evaluate_ctr_for_aes(void)
{
  return 0;
}
#else

147
148
149
/*======================================================================*/
/* Interface to AES code, and counter implementation */

150
/** Implements an AES counter-mode cipher. */
151
struct aes_cnt_cipher {
152
/** This next element (however it's defined) is the AES key. */
153
154
155
156
  union {
    EVP_CIPHER_CTX evp;
    AES_KEY aes;
  } key;
157

158
#if !defined(WORDS_BIGENDIAN)
159
#define USING_COUNTER_VARS
160
161
  /** These four values, together, implement a 128-bit counter, with
   * counter0 as the low-order word and counter3 as the high-order word. */
162
163
164
165
  uint32_t counter3;
  uint32_t counter2;
  uint32_t counter1;
  uint32_t counter0;
166
167
168
169
#endif

  union {
    /** The counter, in big-endian order, as bytes. */
170
    uint8_t buf[16];
171
172
173
    /** The counter, in big-endian order, as big-endian words.  Note that
     * on big-endian platforms, this is redundant with counter3...0,
     * so we just use these values instead. */
174
    uint32_t buf32[4];
175
  } ctr_buf;
176

177
  /** The encrypted value of ctr_buf. */
178
  uint8_t buf[16];
179
  /** Our current stream position within buf. */
180
  unsigned int pos;
181
182
183

  /** True iff we're using the evp implementation of this cipher. */
  uint8_t using_evp;
184
185
};

186
/** True iff we should prefer the EVP implementation for AES, either because
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
 * we're testing it or because we have hardware acceleration configured */
static int should_use_EVP = 0;

/** Check whether we should use the EVP interface for AES. If <b>force_val</b>
 * is nonnegative, we use use EVP iff it is true.  Otherwise, we use EVP
 * if there is an engine enabled for aes-ecb. */
int
evaluate_evp_for_aes(int force_val)
{
  ENGINE *e;

  if (force_val >= 0) {
    should_use_EVP = force_val;
    return 0;
  }
#ifdef DISABLE_ENGINES
  should_use_EVP = 0;
#else
  e = ENGINE_get_cipher_engine(NID_aes_128_ecb);

  if (e) {
208
    log_info(LD_CRYPTO, "AES engine \"%s\" found; using EVP_* functions.",
209
210
211
               ENGINE_get_name(e));
    should_use_EVP = 1;
  } else {
212
    log_info(LD_CRYPTO, "No AES engine found; using AES_* functions.");
213
214
215
216
217
218
219
    should_use_EVP = 0;
  }
#endif

  return 0;
}

220
221
222
223
224
225
226
/** Test the OpenSSL counter mode implementation to see whether it has the
 * counter-mode bug from OpenSSL 1.0.0. If the implementation works, then
 * we will use it for future encryption/decryption operations.
 *
 * We can't just look at the OpenSSL version, since some distributions update
 * their OpenSSL packages without changing the version number.
 **/
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
int
evaluate_ctr_for_aes(void)
{
  /* Result of encrypting an all-zero block with an all-zero 128-bit AES key.
   * This should be the same as encrypting an all-zero block with an all-zero
   * 128-bit AES key in counter mode, starting at position 0 of the stream.
   */
  static const unsigned char encrypt_zero[] =
    "\x66\xe9\x4b\xd4\xef\x8a\x2c\x3b\x88\x4c\xfa\x59\xca\x34\x2b\x2e";
  unsigned char zero[16];
  unsigned char output[16];
  unsigned char ivec[16];
  unsigned char ivec_tmp[16];
  unsigned int pos, i;
  AES_KEY key;
  memset(zero, 0, sizeof(zero));
  memset(ivec, 0, sizeof(ivec));
  AES_set_encrypt_key(zero, 128, &key);

  pos = 0;
  /* Encrypting a block one byte at a time should make the error manifest
   * itself for known bogus openssl versions. */
  for (i=0; i<16; ++i)
    AES_ctr128_encrypt(&zero[i], &output[i], 1, &key, ivec, ivec_tmp, &pos);

252
  if (fast_memneq(output, encrypt_zero, 16)) {
253
    /* Counter mode is buggy */
254
    /* LCOV_EXCL_START */
255
256
257
    log_err(LD_CRYPTO, "This OpenSSL has a buggy version of counter mode; "
                  "quitting tor.");
    exit(1);
258
    /* LCOV_EXCL_STOP */
259
260
261
262
  }
  return 0;
}

263
#if !defined(USING_COUNTER_VARS)
264
265
266
267
268
#define COUNTER(c, n) ((c)->ctr_buf.buf32[3-(n)])
#else
#define COUNTER(c, n) ((c)->counter ## n)
#endif

269
static void aes_set_key(aes_cnt_cipher_t *cipher, const uint8_t *key,
270
                        int key_bits);
271
static void aes_set_iv(aes_cnt_cipher_t *cipher, const uint8_t *iv);
272

Nick Mathewson's avatar
Nick Mathewson committed
273
/**
274
275
 * Return a newly allocated counter-mode AES128 cipher implementation,
 * using the 128-bit key <b>key</b> and the 128-bit IV <b>iv</b>.
Nick Mathewson's avatar
Nick Mathewson committed
276
 */
277
aes_cnt_cipher_t*
278
aes_new_cipher(const uint8_t *key, const uint8_t *iv, int bits)
279
{
280
  aes_cnt_cipher_t* result = tor_malloc_zero(sizeof(aes_cnt_cipher_t));
281

282
  aes_set_key(result, key, bits);
283
284
  aes_set_iv(result, iv);

285
286
287
  return result;
}

Nick Mathewson's avatar
Nick Mathewson committed
288
289
290
291
/** Set the key of <b>cipher</b> to <b>key</b>, which is
 * <b>key_bits</b> bits long (must be 128, 192, or 256).  Also resets
 * the counter to 0.
 */
292
static void
293
aes_set_key(aes_cnt_cipher_t *cipher, const uint8_t *key, int key_bits)
294
{
295
  if (should_use_EVP) {
Sebastian Hahn's avatar
Sebastian Hahn committed
296
    const EVP_CIPHER *c = 0;
297
298
299
300
    switch (key_bits) {
      case 128: c = EVP_aes_128_ecb(); break;
      case 192: c = EVP_aes_192_ecb(); break;
      case 256: c = EVP_aes_256_ecb(); break;
301
      default: tor_assert(0); // LCOV_EXCL_LINE
302
    }
303
    EVP_EncryptInit(&cipher->key.evp, c, key, NULL);
304
305
    cipher->using_evp = 1;
  } else {
306
    AES_set_encrypt_key(key, key_bits,&cipher->key.aes);
307
    cipher->using_evp = 0;
308
  }
309

310
311
312
313
314
315
#ifdef USING_COUNTER_VARS
  cipher->counter0 = 0;
  cipher->counter1 = 0;
  cipher->counter2 = 0;
  cipher->counter3 = 0;
#endif
316

317
318
  memset(cipher->ctr_buf.buf, 0, sizeof(cipher->ctr_buf.buf));

319
  cipher->pos = 0;
320

321
  memset(cipher->buf, 0, sizeof(cipher->buf));
322
323
}

Nick Mathewson's avatar
Nick Mathewson committed
324
325
/** Release storage held by <b>cipher</b>
 */
326
void
327
aes_cipher_free(aes_cnt_cipher_t *cipher)
328
{
329
330
  if (!cipher)
    return;
331
332
333
  if (cipher->using_evp) {
    EVP_CIPHER_CTX_cleanup(&cipher->key.evp);
  }
334
  memwipe(cipher, 0, sizeof(aes_cnt_cipher_t));
335
  tor_free(cipher);
336
337
}

338
#if defined(USING_COUNTER_VARS)
339
340
341
#define UPDATE_CTR_BUF(c, n) STMT_BEGIN                 \
  (c)->ctr_buf.buf32[3-(n)] = htonl((c)->counter ## n); \
  STMT_END
342
343
#else
#define UPDATE_CTR_BUF(c, n)
344
345
#endif

346
/* Helper function to use EVP with openssl's counter-mode wrapper. */
Nick Mathewson's avatar
Nick Mathewson committed
347
348
349
350
static void
evp_block128_fn(const uint8_t in[16],
                uint8_t out[16],
                const void *key)
351
352
353
354
355
356
{
  EVP_CIPHER_CTX *ctx = (void*)key;
  int inl=16, outl=16;
  EVP_EncryptUpdate(ctx, out, &outl, in, inl);
}

357
358
359
360
361
362
363
/** Encrypt <b>len</b> bytes from <b>input</b>, storing the results in place.
 * Uses the key in <b>cipher</b>, and advances the counter by <b>len</b> bytes
 * as it encrypts.
 */
void
aes_crypt_inplace(aes_cnt_cipher_t *cipher, char *data, size_t len)
{
364
365
  /* Note that the "128" below refers to the length of the counter,
   * not the length of the AES key. */
366
367
368
369
370
371
372
373
374
375
376
377
  if (cipher->using_evp) {
    /* In openssl 1.0.0, there's an if'd out EVP_aes_128_ctr in evp.h.  If
     * it weren't disabled, it might be better just to use that.
     */
    CRYPTO_ctr128_encrypt((const unsigned char *)data,
                          (unsigned char *)data,
                          len,
                          &cipher->key.evp,
                          cipher->ctr_buf.buf,
                          cipher->buf,
                          &cipher->pos,
                          evp_block128_fn);
378
  } else {
379
380
381
382
383
384
385
    AES_ctr128_encrypt((const unsigned char *)data,
                       (unsigned char *)data,
                       len,
                       &cipher->key.aes,
                       cipher->ctr_buf.buf,
                       cipher->buf,
                       &cipher->pos);
386
  }
387
388
}

389
390
/** Reset the 128-bit counter of <b>cipher</b> to the 16-bit big-endian value
 * in <b>iv</b>. */
391
static void
392
aes_set_iv(aes_cnt_cipher_t *cipher, const uint8_t *iv)
393
{
394
#ifdef USING_COUNTER_VARS
395
396
397
398
  cipher->counter3 = ntohl(get_uint32(iv));
  cipher->counter2 = ntohl(get_uint32(iv+4));
  cipher->counter1 = ntohl(get_uint32(iv+8));
  cipher->counter0 = ntohl(get_uint32(iv+12));
399
#endif
400
  cipher->pos = 0;
401
  memcpy(cipher->ctr_buf.buf, iv, 16);
402
403
}

404
#endif