aes_openssl.c

Go to the documentation of this file.

/* Copyright (c) 2001, Matej Pfajfar.
 * Copyright (c) 2001-2004, Roger Dingledine.
 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
 * Copyright (c) 2007-2021, The Tor Project, Inc. */
/* See LICENSE for licensing information */
 
/**
 * \file aes_openssl.c
 * \brief Use OpenSSL to implement AES_CTR.
 **/
 
#define USE_AES_RAW
#define TOR_AES_PRIVATE
 
#include "orconfig.h"
#include "lib/crypt_ops/aes.h"
#include "lib/crypt_ops/crypto_util.h"
#include "lib/log/util_bug.h"
#include "lib/arch/bytes.h"
 
#ifdef _WIN32 /*wrkard for dtls1.h >= 0.9.8m of "#include <winsock.h>"*/
  #include <winsock2.h>
  #include <ws2tcpip.h>
#endif
 
#include "lib/crypt_ops/compat_openssl.h"
#include <openssl/opensslv.h>
#include "lib/crypt_ops/crypto_openssl_mgt.h"
 
DISABLE_GCC_WARNING("-Wredundant-decls")
 
#include <stdlib.h>
#include <string.h>
#include <openssl/aes.h>
#include <openssl/evp.h>
#include <openssl/engine.h>
#include <openssl/modes.h>
 
ENABLE_GCC_WARNING("-Wredundant-decls")
 
#include "lib/log/log.h"
#include "lib/ctime/di_ops.h"
 
/* Cached values of our EVP_CIPHER items.  If we don't pre-fetch them,
 * then EVP_CipherInit calls EVP_CIPHER_fetch itself,
 * which is surprisingly expensive.
 */
static const EVP_CIPHER *aes128ctr = NULL;
static const EVP_CIPHER *aes192ctr = NULL;
static const EVP_CIPHER *aes256ctr = NULL;
static const EVP_CIPHER *aes128ecb = NULL;
static const EVP_CIPHER *aes192ecb = NULL;
static const EVP_CIPHER *aes256ecb = NULL;
 
#if OPENSSL_VERSION_NUMBER >= OPENSSL_V_NOPATCH(3,0,0) \
  && !defined(LIBRESSL_VERSION_NUMBER)
#define RESOLVE_CIPHER(c) \
  EVP_CIPHER_fetch(NULL, OBJ_nid2sn(EVP_CIPHER_get_nid(c)), "")
#else
#define RESOLVE_CIPHER(c) (c)
#endif
 
/**
 * Pre-fetch the versions of every AES cipher with its associated provider.
 */
static void
init_ciphers(void)
{
  aes128ctr = RESOLVE_CIPHER(EVP_aes_128_ctr());
  aes192ctr = RESOLVE_CIPHER(EVP_aes_192_ctr());
  aes256ctr = RESOLVE_CIPHER(EVP_aes_256_ctr());
  aes128ecb = RESOLVE_CIPHER(EVP_aes_128_ecb());
  aes192ecb = RESOLVE_CIPHER(EVP_aes_192_ecb());
  aes256ecb = RESOLVE_CIPHER(EVP_aes_256_ecb());
}
#define INIT_CIPHERS() STMT_BEGIN { \
    if (PREDICT_UNLIKELY(NULL == aes128ctr)) {  \
      init_ciphers();                           \
    }                                           \
  } STMT_END
 
/* We have 2 strategies for getting the AES block cipher: Via OpenSSL's
 * AES_encrypt function, or via OpenSSL's EVP_EncryptUpdate function.
 *
 * If there's any hardware acceleration in play, we want to be using EVP_* so
 * we can get it.  Otherwise, we'll want AES_*, which seems to be about 5%
 * faster than indirecting through the EVP layer.
 */
 
/* We have 2 strategies for getting a plug-in counter mode: use our own, or
 * use OpenSSL's.
 *
 * Here we have a counter mode that's faster than the one shipping with
 * OpenSSL pre-1.0 (by about 10%!).  But OpenSSL 1.0.0 added a counter mode
 * implementation faster than the one here (by about 7%).  So we pick which
 * one to used based on the Openssl version above.  (OpenSSL 1.0.0a fixed a
 * critical bug in that counter mode implementation, so we need to test to
 * make sure that we have a fixed version.)
 */
 
/* We don't actually define the struct here. */
 
aes_cnt_cipher_t *
aes_new_cipher(const uint8_t *key, const uint8_t *iv, int key_bits)
{
  INIT_CIPHERS();
  EVP_CIPHER_CTX *cipher = EVP_CIPHER_CTX_new();
  const EVP_CIPHER *c = NULL;
  switch (key_bits) {
    case 128: c = aes128ctr; break;
    case 192: c = aes192ctr; break;
    case 256: c = aes256ctr; break;
    default: tor_assert_unreached(); // LCOV_EXCL_LINE
  }
  EVP_EncryptInit(cipher, c, key, iv);
  return (aes_cnt_cipher_t *) cipher;
}
void
aes_cipher_free_(aes_cnt_cipher_t *cipher_)
{
  if (!cipher_)
    return;
  EVP_CIPHER_CTX *cipher = (EVP_CIPHER_CTX *) cipher_;
  EVP_CIPHER_CTX_reset(cipher);
  EVP_CIPHER_CTX_free(cipher);
}
 
/** Changes the key of the cipher;
 * sets the IV to 0.
 */
void
aes_cipher_set_key(aes_cnt_cipher_t *cipher_, const uint8_t *key, int key_bits)
{
  EVP_CIPHER_CTX *cipher = (EVP_CIPHER_CTX *) cipher_;
  uint8_t iv[16] = {0};
  const EVP_CIPHER *c = NULL;
  switch (key_bits) {
    case 128: c = aes128ctr; break;
    case 192: c = aes192ctr; break;
    case 256: c = aes256ctr; break;
    default: tor_assert_unreached(); // LCOV_EXCL_LINE
  }
 
  // No need to call EVP_CIPHER_CTX_Reset here; EncryptInit already
  // does it for us.
  EVP_EncryptInit(cipher, c, key, iv);
}
/** Change the IV of this stream cipher without changing the key.
 *
 * Requires that the cipher stream position is at an even multiple of 16 bytes.
 */
void
aes_cipher_set_iv_aligned(aes_cnt_cipher_t *cipher_, const uint8_t *iv)
{
  EVP_CIPHER_CTX *cipher = (EVP_CIPHER_CTX *) cipher_;
#ifdef LIBRESSL_VERSION_NUMBER
  EVP_CIPHER_CTX_set_iv(cipher, iv, 16);
#else
  // We would have to do this if the cipher's position were not aligned:
  // EVP_CIPHER_CTX_set_num(cipher, 0);
 
  memcpy(EVP_CIPHER_CTX_iv_noconst(cipher), iv, 16);
#endif
}
void
aes_crypt_inplace(aes_cnt_cipher_t *cipher_, char *data, size_t len)
{
  int outl;
  EVP_CIPHER_CTX *cipher = (EVP_CIPHER_CTX *) cipher_;
 
  tor_assert(len < INT_MAX);
 
  EVP_EncryptUpdate(cipher, (unsigned char*)data,
                    &outl, (unsigned char*)data, (int)len);
}
 
/* ========
 * Functions for "raw" (ECB) AES.
 *
 * I'm choosing the name "raw" here because ECB is not a mode;
 * it's a disaster.  The only way to use this safely is
 * within a real construction.
 */
 
/**
 * Create a new instance of AES using a key of length 'key_bits'
 * for raw block encryption.
 *
 * This is even more low-level than counter-mode, and you should
 * only use it with extreme caution.
 */
aes_raw_t *
aes_raw_new(const uint8_t *key, int key_bits, bool encrypt)
{
  INIT_CIPHERS();
  EVP_CIPHER_CTX *cipher = EVP_CIPHER_CTX_new();
  tor_assert(cipher);
  const EVP_CIPHER *c = NULL;
  switch (key_bits) {
    case 128: c = aes128ecb; break;
    case 192: c = aes192ecb; break;
    case 256: c = aes256ecb; break;
    default: tor_assert_unreached();
  }
 
  // No need to call EVP_CIPHER_CTX_Reset here; EncryptInit already
  // does it for us.
  int r = EVP_CipherInit(cipher, c, key, NULL, encrypt);
  tor_assert(r == 1);
  EVP_CIPHER_CTX_set_padding(cipher, 0);
  return (aes_raw_t *)cipher;
}
/**
 * Replace the key on an existing aes_raw_t.
 *
 * This may be faster than freeing and reallocating.
 */
void
aes_raw_set_key(aes_raw_t **cipher_, const uint8_t *key,
                int key_bits, bool encrypt)
{
  const EVP_CIPHER *c = *(EVP_CIPHER**) cipher_;
  switch (key_bits) {
    case 128: c = aes128ecb; break;
    case 192: c = aes192ecb; break;
    case 256: c = aes256ecb; break;
    default: tor_assert_unreached();
  }
  aes_raw_t *cipherp = *cipher_;
  EVP_CIPHER_CTX *cipher = (EVP_CIPHER_CTX *)cipherp;
  int r = EVP_CipherInit(cipher, c, key, NULL, encrypt);
  tor_assert(r == 1);
  EVP_CIPHER_CTX_set_padding(cipher, 0);
}
 
/**
 * Release storage held by 'cipher'.
 */
void
aes_raw_free_(aes_raw_t *cipher_)
{
  if (!cipher_)
    return;
  EVP_CIPHER_CTX *cipher = (EVP_CIPHER_CTX *)cipher_;
#ifdef OPENSSL_1_1_API
  EVP_CIPHER_CTX_reset(cipher);
#else
  EVP_CIPHER_CTX_cleanup(cipher);
#endif
  EVP_CIPHER_CTX_free(cipher);
}
#define aes_raw_free(cipher) \
  FREE_AND_NULL(aes_raw_t, aes_raw_free_, (cipher))
/**
 * Encrypt a single 16-byte block with 'cipher',
 * which must have been initialized for encryption.
 */
void
aes_raw_encrypt(const aes_raw_t *cipher, uint8_t *block)
{
  int outl = 16;
  int r = EVP_EncryptUpdate((EVP_CIPHER_CTX *)cipher, block, &outl, block, 16);
  tor_assert(r == 1);
  tor_assert(outl == 16);
}
/**
 * Decrypt a single 16-byte block with 'cipher',
 * which must have been initialized for decryption.
 */
void
aes_raw_decrypt(const aes_raw_t *cipher, uint8_t *block)
{
  int outl = 16;
  int r = EVP_DecryptUpdate((EVP_CIPHER_CTX *)cipher, block, &outl, block, 16);
  tor_assert(r == 1);
  tor_assert(outl == 16);
}