diff options
Diffstat (limited to 'src/lib/crypto/symmetric_ossl.cpp')
-rw-r--r-- | src/lib/crypto/symmetric_ossl.cpp | 644 |
1 files changed, 644 insertions, 0 deletions
diff --git a/src/lib/crypto/symmetric_ossl.cpp b/src/lib/crypto/symmetric_ossl.cpp new file mode 100644 index 0000000..98e90ed --- /dev/null +++ b/src/lib/crypto/symmetric_ossl.cpp @@ -0,0 +1,644 @@ +/*- + * Copyright (c) 2021 Ribose Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "crypto.h" +#include "config.h" +#include "defaults.h" + +#include <string.h> +#include <stdlib.h> +#include <assert.h> +#include <openssl/evp.h> +#include <openssl/err.h> +#include "mem.h" +#include "utils.h" + +static const char * +pgp_sa_to_openssl_string(int alg, bool silent = false) +{ + switch (alg) { +#if defined(ENABLE_IDEA) + case PGP_SA_IDEA: + return "idea-ecb"; +#endif + case PGP_SA_TRIPLEDES: + return "des-ede3"; +#if defined(ENABLE_CAST5) + case PGP_SA_CAST5: + return "cast5-ecb"; +#endif +#if defined(ENABLE_BLOWFISH) + case PGP_SA_BLOWFISH: + return "bf-ecb"; +#endif + case PGP_SA_AES_128: + return "aes-128-ecb"; + case PGP_SA_AES_192: + return "aes-192-ecb"; + case PGP_SA_AES_256: + return "aes-256-ecb"; +#if defined(ENABLE_SM2) + case PGP_SA_SM4: + return "sm4-ecb"; +#endif + case PGP_SA_CAMELLIA_128: + return "camellia-128-ecb"; + case PGP_SA_CAMELLIA_192: + return "camellia-192-ecb"; + case PGP_SA_CAMELLIA_256: + return "camellia-256-ecb"; + default: + if (!silent) { + RNP_LOG("Unsupported symmetric algorithm %d", alg); + } + return NULL; + } +} + +bool +pgp_cipher_cfb_start(pgp_crypt_t * crypt, + pgp_symm_alg_t alg, + const uint8_t *key, + const uint8_t *iv) +{ + memset(crypt, 0x0, sizeof(*crypt)); + + const char *cipher_name = pgp_sa_to_openssl_string(alg); + if (!cipher_name) { + RNP_LOG("Unsupported algorithm: %d", alg); + return false; + } + + const EVP_CIPHER *cipher = EVP_get_cipherbyname(cipher_name); + if (!cipher) { + RNP_LOG("Cipher %s is not supported by OpenSSL.", cipher_name); + return false; + } + + crypt->alg = alg; + crypt->blocksize = pgp_block_size(alg); + + EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); + int res = EVP_EncryptInit_ex(ctx, cipher, NULL, key, iv); + if (res != 1) { + RNP_LOG("Failed to initialize cipher."); + EVP_CIPHER_CTX_free(ctx); + return false; + } + crypt->cfb.obj = ctx; + + if (iv) { + // Otherwise left as all zeros via memset at start of function + memcpy(crypt->cfb.iv, iv, crypt->blocksize); + } + + crypt->cfb.remaining = 0; + return true; +} + +void +pgp_cipher_cfb_resync(pgp_crypt_t *crypt, const uint8_t *buf) +{ + /* iv will be encrypted in the upcoming call to encrypt/decrypt */ + memcpy(crypt->cfb.iv, buf, crypt->blocksize); + crypt->cfb.remaining = 0; +} + +int +pgp_cipher_cfb_finish(pgp_crypt_t *crypt) +{ + if (!crypt) { + return 0; + } + if (crypt->cfb.obj) { + EVP_CIPHER_CTX_free(crypt->cfb.obj); + crypt->cfb.obj = NULL; + } + OPENSSL_cleanse((uint8_t *) crypt, sizeof(*crypt)); + return 0; +} + +/* we rely on fact that in and out could be the same */ +int +pgp_cipher_cfb_encrypt(pgp_crypt_t *crypt, uint8_t *out, const uint8_t *in, size_t bytes) +{ + uint64_t *in64; + uint64_t buf64[512]; // 4KB - page size + uint64_t iv64[2]; + size_t blocks, blockb; + unsigned blsize = crypt->blocksize; + + /* encrypting till the block boundary */ + while (bytes && crypt->cfb.remaining) { + *out = *in++ ^ crypt->cfb.iv[blsize - crypt->cfb.remaining]; + crypt->cfb.iv[blsize - crypt->cfb.remaining] = *out++; + crypt->cfb.remaining--; + bytes--; + } + + if (!bytes) { + return 0; + } + + /* encrypting full blocks */ + if (bytes > blsize) { + memcpy(iv64, crypt->cfb.iv, blsize); + while ((blocks = bytes & ~(blsize - 1)) > 0) { + if (blocks > sizeof(buf64)) { + blocks = sizeof(buf64); + } + bytes -= blocks; + blockb = blocks; + memcpy(buf64, in, blockb); + in64 = buf64; + + if (blsize == 16) { + blocks >>= 4; + while (blocks--) { + int outlen = 16; + EVP_EncryptUpdate( + crypt->cfb.obj, (uint8_t *) iv64, &outlen, (uint8_t *) iv64, 16); + if (outlen != 16) { + RNP_LOG("Bad outlen: must be 16"); + } + *in64 ^= iv64[0]; + iv64[0] = *in64++; + *in64 ^= iv64[1]; + iv64[1] = *in64++; + } + } else { + blocks >>= 3; + while (blocks--) { + int outlen = 8; + EVP_EncryptUpdate( + crypt->cfb.obj, (uint8_t *) iv64, &outlen, (uint8_t *) iv64, 8); + if (outlen != 8) { + RNP_LOG("Bad outlen: must be 8"); + } + *in64 ^= iv64[0]; + iv64[0] = *in64++; + } + } + + memcpy(out, buf64, blockb); + out += blockb; + in += blockb; + } + + memcpy(crypt->cfb.iv, iv64, blsize); + } + + if (!bytes) { + return 0; + } + + int outlen = blsize; + EVP_EncryptUpdate(crypt->cfb.obj, crypt->cfb.iv, &outlen, crypt->cfb.iv, (int) blsize); + if (outlen != (int) blsize) { + RNP_LOG("Bad outlen: must be %u", blsize); + } + crypt->cfb.remaining = blsize; + + /* encrypting tail */ + while (bytes) { + *out = *in++ ^ crypt->cfb.iv[blsize - crypt->cfb.remaining]; + crypt->cfb.iv[blsize - crypt->cfb.remaining] = *out++; + crypt->cfb.remaining--; + bytes--; + } + + return 0; +} + +/* we rely on fact that in and out could be the same */ +int +pgp_cipher_cfb_decrypt(pgp_crypt_t *crypt, uint8_t *out, const uint8_t *in, size_t bytes) +{ + /* for better code readability */ + uint64_t *out64, *in64; + uint64_t inbuf64[512]; // 4KB - page size + uint64_t outbuf64[512]; + uint64_t iv64[2]; + size_t blocks, blockb; + unsigned blsize = crypt->blocksize; + + /* decrypting till the block boundary */ + while (bytes && crypt->cfb.remaining) { + uint8_t c = *in++; + *out++ = c ^ crypt->cfb.iv[blsize - crypt->cfb.remaining]; + crypt->cfb.iv[blsize - crypt->cfb.remaining] = c; + crypt->cfb.remaining--; + bytes--; + } + + if (!bytes) { + return 0; + } + + /* decrypting full blocks */ + if (bytes > blsize) { + memcpy(iv64, crypt->cfb.iv, blsize); + + while ((blocks = bytes & ~(blsize - 1)) > 0) { + if (blocks > sizeof(inbuf64)) { + blocks = sizeof(inbuf64); + } + bytes -= blocks; + blockb = blocks; + memcpy(inbuf64, in, blockb); + out64 = outbuf64; + in64 = inbuf64; + + if (blsize == 16) { + blocks >>= 4; + while (blocks--) { + int outlen = 16; + EVP_EncryptUpdate( + crypt->cfb.obj, (uint8_t *) iv64, &outlen, (uint8_t *) iv64, 16); + if (outlen != 16) { + RNP_LOG("Bad outlen: must be 16"); + } + *out64++ = *in64 ^ iv64[0]; + iv64[0] = *in64++; + *out64++ = *in64 ^ iv64[1]; + iv64[1] = *in64++; + } + } else { + blocks >>= 3; + while (blocks--) { + int outlen = 8; + EVP_EncryptUpdate( + crypt->cfb.obj, (uint8_t *) iv64, &outlen, (uint8_t *) iv64, 8); + if (outlen != 8) { + RNP_LOG("Bad outlen: must be 8"); + } + *out64++ = *in64 ^ iv64[0]; + iv64[0] = *in64++; + } + } + + memcpy(out, outbuf64, blockb); + out += blockb; + in += blockb; + } + + memcpy(crypt->cfb.iv, iv64, blsize); + } + + if (!bytes) { + return 0; + } + + int outlen = blsize; + EVP_EncryptUpdate(crypt->cfb.obj, crypt->cfb.iv, &outlen, crypt->cfb.iv, (int) blsize); + if (outlen != (int) blsize) { + RNP_LOG("Bad outlen: must be %u", blsize); + } + crypt->cfb.remaining = blsize; + + /* decrypting tail */ + while (bytes) { + uint8_t c = *in++; + *out++ = c ^ crypt->cfb.iv[blsize - crypt->cfb.remaining]; + crypt->cfb.iv[blsize - crypt->cfb.remaining] = c; + crypt->cfb.remaining--; + bytes--; + } + + return 0; +} + +size_t +pgp_cipher_block_size(pgp_crypt_t *crypt) +{ + return crypt->blocksize; +} + +unsigned +pgp_block_size(pgp_symm_alg_t alg) +{ + switch (alg) { + case PGP_SA_IDEA: + case PGP_SA_TRIPLEDES: + case PGP_SA_CAST5: + case PGP_SA_BLOWFISH: + return 8; + case PGP_SA_AES_128: + case PGP_SA_AES_192: + case PGP_SA_AES_256: + case PGP_SA_TWOFISH: + case PGP_SA_CAMELLIA_128: + case PGP_SA_CAMELLIA_192: + case PGP_SA_CAMELLIA_256: + case PGP_SA_SM4: + return 16; + default: + return 0; + } +} + +unsigned +pgp_key_size(pgp_symm_alg_t alg) +{ + /* Update MAX_SYMM_KEY_SIZE after adding algorithm + * with bigger key size. + */ + static_assert(32 == MAX_SYMM_KEY_SIZE, "MAX_SYMM_KEY_SIZE must be updated"); + + switch (alg) { + case PGP_SA_IDEA: + case PGP_SA_CAST5: + case PGP_SA_BLOWFISH: + case PGP_SA_AES_128: + case PGP_SA_CAMELLIA_128: + case PGP_SA_SM4: + return 16; + case PGP_SA_TRIPLEDES: + case PGP_SA_AES_192: + case PGP_SA_CAMELLIA_192: + return 24; + case PGP_SA_TWOFISH: + case PGP_SA_AES_256: + case PGP_SA_CAMELLIA_256: + return 32; + default: + return 0; + } +} + +bool +pgp_is_sa_supported(int alg, bool silent) +{ + return pgp_sa_to_openssl_string(alg, silent); +} + +#if defined(ENABLE_AEAD) + +static const char * +openssl_aead_name(pgp_symm_alg_t ealg, pgp_aead_alg_t aalg) +{ + switch (aalg) { + case PGP_AEAD_OCB: + break; + default: + RNP_LOG("Only OCB mode is supported by the OpenSSL backend."); + return NULL; + } + switch (ealg) { + case PGP_SA_AES_128: + return "AES-128-OCB"; + case PGP_SA_AES_192: + return "AES-192-OCB"; + case PGP_SA_AES_256: + return "AES-256-OCB"; + default: + RNP_LOG("Only AES-OCB is supported by the OpenSSL backend."); + return NULL; + } +} + +bool +pgp_cipher_aead_init(pgp_crypt_t * crypt, + pgp_symm_alg_t ealg, + pgp_aead_alg_t aalg, + const uint8_t *key, + bool decrypt) +{ + memset(crypt, 0x0, sizeof(*crypt)); + /* OpenSSL backend currently supports only AES-OCB */ + const char *algname = openssl_aead_name(ealg, aalg); + if (!algname) { + return false; + } + auto cipher = EVP_get_cipherbyname(algname); + if (!cipher) { + RNP_LOG("Cipher %s is not supported.", algname); + return false; + } + /* Create and setup context */ + EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); + if (!ctx) { + RNP_LOG("Failed to create cipher context: %lu", ERR_peek_last_error()); + return false; + } + + crypt->aead.key = new rnp::secure_vector<uint8_t>(key, key + pgp_key_size(ealg)); + crypt->alg = ealg; + crypt->blocksize = pgp_block_size(ealg); + crypt->aead.cipher = cipher; + crypt->aead.obj = ctx; + crypt->aead.alg = aalg; + crypt->aead.decrypt = decrypt; + crypt->aead.granularity = crypt->blocksize; + crypt->aead.taglen = PGP_AEAD_EAX_OCB_TAG_LEN; + crypt->aead.ad_len = 0; + crypt->aead.n_len = pgp_cipher_aead_nonce_len(aalg); + return true; +} + +size_t +pgp_cipher_aead_granularity(pgp_crypt_t *crypt) +{ + return crypt->aead.granularity; +} +#endif + +size_t +pgp_cipher_aead_nonce_len(pgp_aead_alg_t aalg) +{ + switch (aalg) { + case PGP_AEAD_EAX: + return PGP_AEAD_EAX_NONCE_LEN; + case PGP_AEAD_OCB: + return PGP_AEAD_OCB_NONCE_LEN; + default: + return 0; + } +} + +size_t +pgp_cipher_aead_tag_len(pgp_aead_alg_t aalg) +{ + switch (aalg) { + case PGP_AEAD_EAX: + case PGP_AEAD_OCB: + return PGP_AEAD_EAX_OCB_TAG_LEN; + default: + return 0; + } +} + +#if defined(ENABLE_AEAD) +bool +pgp_cipher_aead_set_ad(pgp_crypt_t *crypt, const uint8_t *ad, size_t len) +{ + assert(len <= sizeof(crypt->aead.ad)); + memcpy(crypt->aead.ad, ad, len); + crypt->aead.ad_len = len; + return true; +} + +bool +pgp_cipher_aead_start(pgp_crypt_t *crypt, const uint8_t *nonce, size_t len) +{ + auto &aead = crypt->aead; + auto ctx = aead.obj; + int enc = aead.decrypt ? 0 : 1; + assert(len == aead.n_len); + EVP_CIPHER_CTX_reset(ctx); + if (EVP_CipherInit_ex(ctx, aead.cipher, NULL, NULL, NULL, enc) != 1) { + RNP_LOG("Failed to initialize cipher: %lu", ERR_peek_last_error()); + return false; + } + if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, aead.n_len, NULL) != 1) { + RNP_LOG("Failed to set nonce length: %lu", ERR_peek_last_error()); + return false; + } + if (EVP_CipherInit_ex(ctx, NULL, NULL, aead.key->data(), nonce, enc) != 1) { + RNP_LOG("Failed to start cipher: %lu", ERR_peek_last_error()); + return false; + } + int adlen = 0; + if (EVP_CipherUpdate(ctx, NULL, &adlen, aead.ad, aead.ad_len) != 1) { + RNP_LOG("Failed to set AD: %lu", ERR_peek_last_error()); + return false; + } + return true; +} + +bool +pgp_cipher_aead_update(pgp_crypt_t *crypt, uint8_t *out, const uint8_t *in, size_t len) +{ + if (!len) { + return true; + } + int out_len = 0; + bool res = EVP_CipherUpdate(crypt->aead.obj, out, &out_len, in, len) == 1; + if (!res) { + RNP_LOG("Failed to update cipher: %lu", ERR_peek_last_error()); + } + assert(out_len == (int) len); + return res; +} + +void +pgp_cipher_aead_reset(pgp_crypt_t *crypt) +{ + /* Do nothing as subsequent pgp_cipher_aead_start() call will reset context */ +} + +bool +pgp_cipher_aead_finish(pgp_crypt_t *crypt, uint8_t *out, const uint8_t *in, size_t len) +{ + auto &aead = crypt->aead; + auto ctx = aead.obj; + if (aead.decrypt) { + assert(len >= aead.taglen); + if (len < aead.taglen) { + RNP_LOG("Invalid state: too few input bytes."); + return false; + } + size_t data_len = len - aead.taglen; + int out_len = 0; + if (EVP_CipherUpdate(ctx, out, &out_len, in, data_len) != 1) { + RNP_LOG("Failed to update cipher: %lu", ERR_peek_last_error()); + return false; + } + uint8_t tag[PGP_AEAD_MAX_TAG_LEN] = {0}; + memcpy(tag, in + data_len, aead.taglen); + if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, aead.taglen, tag) != 1) { + RNP_LOG("Failed to set tag: %lu", ERR_peek_last_error()); + return false; + } + int out_len2 = 0; + if (EVP_CipherFinal_ex(ctx, out + out_len, &out_len2) != 1) { + /* Zero value if auth tag is incorrect */ + if (ERR_peek_last_error()) { + RNP_LOG("Failed to finish AEAD decryption: %lu", ERR_peek_last_error()); + } + return false; + } + assert(out_len + out_len2 == (int) (len - aead.taglen)); + } else { + int out_len = 0; + if (EVP_CipherUpdate(ctx, out, &out_len, in, len) != 1) { + RNP_LOG("Failed to update cipher: %lu", ERR_peek_last_error()); + return false; + } + int out_len2 = 0; + if (EVP_CipherFinal_ex(ctx, out + out_len, &out_len2) != 1) { + RNP_LOG("Failed to finish AEAD encryption: %lu", ERR_peek_last_error()); + return false; + } + assert(out_len + out_len2 == (int) len); + if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, aead.taglen, out + len) != 1) { + RNP_LOG("Failed to get tag: %lu", ERR_peek_last_error()); + return false; + } + } + return true; +} + +void +pgp_cipher_aead_destroy(pgp_crypt_t *crypt) +{ + if (crypt->aead.obj) { + EVP_CIPHER_CTX_free(crypt->aead.obj); + } + delete crypt->aead.key; + memset(crypt, 0x0, sizeof(*crypt)); +} + +size_t +pgp_cipher_aead_nonce(pgp_aead_alg_t aalg, const uint8_t *iv, uint8_t *nonce, size_t index) +{ + switch (aalg) { + case PGP_AEAD_EAX: + /* The nonce for EAX mode is computed by treating the starting + initialization vector as a 16-octet, big-endian value and + exclusive-oring the low eight octets of it with the chunk index. + */ + memcpy(nonce, iv, PGP_AEAD_EAX_NONCE_LEN); + for (int i = 15; (i > 7) && index; i--) { + nonce[i] ^= index & 0xff; + index = index >> 8; + } + return PGP_AEAD_EAX_NONCE_LEN; + case PGP_AEAD_OCB: + /* The nonce for a chunk of chunk index "i" in OCB processing is defined as: + OCB-Nonce_{i} = IV[1..120] xor i + */ + memcpy(nonce, iv, PGP_AEAD_OCB_NONCE_LEN); + for (int i = 14; (i >= 0) && index; i--) { + nonce[i] ^= index & 0xff; + index = index >> 8; + } + return PGP_AEAD_OCB_NONCE_LEN; + default: + return 0; + } +} +#endif |