search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
dirvote: Fix memleak when computing consensus
[tor.git] / src / lib / crypt_ops / aes_openssl.c
blobca8c5aca1a1967a2d005cb763ca4b456d284e52c
1 /* Copyright (c) 2001, Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2021, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
6
7 /**
8 * \file aes_openssl.c
9 * \brief Use OpenSSL to implement AES_CTR.
10 **/
11
12 #include "orconfig.h"
13 #include "lib/crypt_ops/aes.h"
14 #include "lib/crypt_ops/crypto_util.h"
15 #include "lib/log/util_bug.h"
16 #include "lib/arch/bytes.h"
17
18 #ifdef _WIN32 /*wrkard for dtls1.h >= 0.9.8m of "#include <winsock.h>"*/
19 #include <winsock2.h>
20 #include <ws2tcpip.h>
21 #endif
22
23 #include "lib/crypt_ops/compat_openssl.h"
24 #include <openssl/opensslv.h>
25 #include "lib/crypt_ops/crypto_openssl_mgt.h"
26
27 #if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,0,0)
28 #error "We require OpenSSL >= 1.0.0"
29 #endif
30
31 DISABLE_GCC_WARNING("-Wredundant-decls")
32
33 #include <stdlib.h>
34 #include <string.h>
35 #include <openssl/aes.h>
36 #include <openssl/evp.h>
37 #include <openssl/engine.h>
38 #include <openssl/modes.h>
39
40 ENABLE_GCC_WARNING("-Wredundant-decls")
41
42 #include "lib/log/log.h"
43 #include "lib/ctime/di_ops.h"
44
45 #ifdef OPENSSL_NO_ENGINE
46 /* Android's OpenSSL seems to have removed all of its Engine support. */
47 #define DISABLE_ENGINES
48 #endif
49
50 /* We have five strategies for implementing AES counter mode.
51 *
52 * Best with x86 and x86_64: Use EVP_aes_*_ctr() and EVP_EncryptUpdate().
53 * This is possible with OpenSSL 1.0.1, where the counter-mode implementation
54 * can use bit-sliced or vectorized AES or AESNI as appropriate.
55 *
56 * Otherwise: Pick the best possible AES block implementation that OpenSSL
57 * gives us, and the best possible counter-mode implementation, and combine
58 * them.
59 */
60 #if OPENSSL_VERSION_NUMBER >= OPENSSL_V_NOPATCH(1,1,0)
61
62 /* With newer OpenSSL versions, the older fallback modes don't compile. So
63 * don't use them, even if we lack specific acceleration. */
64
65 #define USE_EVP_AES_CTR
66
67 #elif OPENSSL_VERSION_NUMBER >= OPENSSL_V_NOPATCH(1,0,1) && \
68 (defined(__i386) || defined(__i386__) || defined(_M_IX86) || \
69 defined(__x86_64) || defined(__x86_64__) || \
70 defined(_M_AMD64) || defined(_M_X64) || defined(__INTEL__))
71
72 #define USE_EVP_AES_CTR
73
74 #endif /* OPENSSL_VERSION_NUMBER >= OPENSSL_V_NOPATCH(1,1,0) || ... */
75
76 /* We have 2 strategies for getting the AES block cipher: Via OpenSSL's
77 * AES_encrypt function, or via OpenSSL's EVP_EncryptUpdate function.
78 *
79 * If there's any hardware acceleration in play, we want to be using EVP_* so
80 * we can get it. Otherwise, we'll want AES_*, which seems to be about 5%
81 * faster than indirecting through the EVP layer.
82 */
83
84 /* We have 2 strategies for getting a plug-in counter mode: use our own, or
85 * use OpenSSL's.
86 *
87 * Here we have a counter mode that's faster than the one shipping with
88 * OpenSSL pre-1.0 (by about 10%!). But OpenSSL 1.0.0 added a counter mode
89 * implementation faster than the one here (by about 7%). So we pick which
90 * one to used based on the Openssl version above. (OpenSSL 1.0.0a fixed a
91 * critical bug in that counter mode implementation, so we need to test to
92 * make sure that we have a fixed version.)
93 */
94
95 #ifdef USE_EVP_AES_CTR
96
97 /* We don't actually define the struct here. */
98
99 aes_cnt_cipher_t *
100 aes_new_cipher(const uint8_t *key, const uint8_t *iv, int key_bits)
101 {
102 EVP_CIPHER_CTX *cipher = EVP_CIPHER_CTX_new();
103 const EVP_CIPHER *c = NULL;
104 switch (key_bits) {
105 case 128: c = EVP_aes_128_ctr(); break;
106 case 192: c = EVP_aes_192_ctr(); break;
107 case 256: c = EVP_aes_256_ctr(); break;
108 default: tor_assert_unreached(); // LCOV_EXCL_LINE
109 }
110 EVP_EncryptInit(cipher, c, key, iv);
111 return (aes_cnt_cipher_t *) cipher;
112 }
113 void
114 aes_cipher_free_(aes_cnt_cipher_t *cipher_)
115 {
116 if (!cipher_)
117 return;
118 EVP_CIPHER_CTX *cipher = (EVP_CIPHER_CTX *) cipher_;
119 #ifdef OPENSSL_1_1_API
120 EVP_CIPHER_CTX_reset(cipher);
121 #else
122 EVP_CIPHER_CTX_cleanup(cipher);
123 #endif
124 EVP_CIPHER_CTX_free(cipher);
125 }
126 void
127 aes_crypt_inplace(aes_cnt_cipher_t *cipher_, char *data, size_t len)
128 {
129 int outl;
130 EVP_CIPHER_CTX *cipher = (EVP_CIPHER_CTX *) cipher_;
131
132 tor_assert(len < INT_MAX);
133
134 EVP_EncryptUpdate(cipher, (unsigned char*)data,
135 &outl, (unsigned char*)data, (int)len);
136 }
137 int
138 evaluate_evp_for_aes(int force_val)
139 {
140 (void) force_val;
141 log_info(LD_CRYPTO, "This version of OpenSSL has a known-good EVP "
142 "counter-mode implementation. Using it.");
143 return 0;
144 }
145 int
146 evaluate_ctr_for_aes(void)
147 {
148 return 0;
149 }
150 #else /* !defined(USE_EVP_AES_CTR) */
151
152 /*======================================================================*/
153 /* Interface to AES code, and counter implementation */
154
155 /** Implements an AES counter-mode cipher. */
156 struct aes_cnt_cipher_t {
157 /** This next element (however it's defined) is the AES key. */
158 union {
159 EVP_CIPHER_CTX evp;
160 AES_KEY aes;
161 } key;
162
163 #if !defined(WORDS_BIGENDIAN)
164 #define USING_COUNTER_VARS
165 /** These four values, together, implement a 128-bit counter, with
166 * counter0 as the low-order word and counter3 as the high-order word. */
167 uint32_t counter3;
168 uint32_t counter2;
169 uint32_t counter1;
170 uint32_t counter0;
171 #endif /* !defined(WORDS_BIGENDIAN) */
172
173 union {
174 /** The counter, in big-endian order, as bytes. */
175 uint8_t buf[16];
176 /** The counter, in big-endian order, as big-endian words. Note that
177 * on big-endian platforms, this is redundant with counter3...0,
178 * so we just use these values instead. */
179 uint32_t buf32[4];
180 } ctr_buf;
181
182 /** The encrypted value of ctr_buf. */
183 uint8_t buf[16];
184 /** Our current stream position within buf. */
185 unsigned int pos;
186
187 /** True iff we're using the evp implementation of this cipher. */
188 uint8_t using_evp;
189 };
190
191 /** True iff we should prefer the EVP implementation for AES, either because
192 * we're testing it or because we have hardware acceleration configured */
193 static int should_use_EVP = 0;
194
195 /** Check whether we should use the EVP interface for AES. If <b>force_val</b>
196 * is nonnegative, we use use EVP iff it is true. Otherwise, we use EVP
197 * if there is an engine enabled for aes-ecb. */
198 int
199 evaluate_evp_for_aes(int force_val)
200 {
201 ENGINE *e;
202
203 if (force_val >= 0) {
204 should_use_EVP = force_val;
205 return 0;
206 }
207 #ifdef DISABLE_ENGINES
208 should_use_EVP = 0;
209 #else
210 e = ENGINE_get_cipher_engine(NID_aes_128_ecb);
211
212 if (e) {
213 log_info(LD_CRYPTO, "AES engine \"%s\" found; using EVP_* functions.",
214 ENGINE_get_name(e));
215 should_use_EVP = 1;
216 } else {
217 log_info(LD_CRYPTO, "No AES engine found; using AES_* functions.");
218 should_use_EVP = 0;
219 }
220 #endif /* defined(DISABLE_ENGINES) */
221
222 return 0;
223 }
224
225 /** Test the OpenSSL counter mode implementation to see whether it has the
226 * counter-mode bug from OpenSSL 1.0.0. If the implementation works, then
227 * we will use it for future encryption/decryption operations.
228 *
229 * We can't just look at the OpenSSL version, since some distributions update
230 * their OpenSSL packages without changing the version number.
231 **/
232 int
233 evaluate_ctr_for_aes(void)
234 {
235 /* Result of encrypting an all-zero block with an all-zero 128-bit AES key.
236 * This should be the same as encrypting an all-zero block with an all-zero
237 * 128-bit AES key in counter mode, starting at position 0 of the stream.
238 */
239 static const unsigned char encrypt_zero[] =
240 "\x66\xe9\x4b\xd4\xef\x8a\x2c\x3b\x88\x4c\xfa\x59\xca\x34\x2b\x2e";
241 unsigned char zero[16];
242 unsigned char output[16];
243 unsigned char ivec[16];
244 unsigned char ivec_tmp[16];
245 unsigned int pos, i;
246 AES_KEY key;
247 memset(zero, 0, sizeof(zero));
248 memset(ivec, 0, sizeof(ivec));
249 AES_set_encrypt_key(zero, 128, &key);
250
251 pos = 0;
252 /* Encrypting a block one byte at a time should make the error manifest
253 * itself for known bogus openssl versions. */
254 for (i=0; i<16; ++i)
255 AES_ctr128_encrypt(&zero[i], &output[i], 1, &key, ivec, ivec_tmp, &pos);
256
257 if (fast_memneq(output, encrypt_zero, 16)) {
258 /* Counter mode is buggy */
259 /* LCOV_EXCL_START */
260 log_err(LD_CRYPTO, "This OpenSSL has a buggy version of counter mode; "
261 "quitting tor.");
262 exit(1); // exit ok: openssl is broken.
263 /* LCOV_EXCL_STOP */
264 }
265 return 0;
266 }
267
268 #if !defined(USING_COUNTER_VARS)
269 #define COUNTER(c, n) ((c)->ctr_buf.buf32[3-(n)])
270 #else
271 #define COUNTER(c, n) ((c)->counter ## n)
272 #endif
273
274 static void aes_set_key(aes_cnt_cipher_t *cipher, const uint8_t *key,
275 int key_bits);
276 static void aes_set_iv(aes_cnt_cipher_t *cipher, const uint8_t *iv);
277
278 /**
279 * Return a newly allocated counter-mode AES128 cipher implementation,
280 * using the 128-bit key <b>key</b> and the 128-bit IV <b>iv</b>.
281 */
282 aes_cnt_cipher_t*
283 aes_new_cipher(const uint8_t *key, const uint8_t *iv, int bits)
284 {
285 aes_cnt_cipher_t* result = tor_malloc_zero(sizeof(aes_cnt_cipher_t));
286
287 aes_set_key(result, key, bits);
288 aes_set_iv(result, iv);
289
290 return result;
291 }
292
293 /** Set the key of <b>cipher</b> to <b>key</b>, which is
294 * <b>key_bits</b> bits long (must be 128, 192, or 256). Also resets
295 * the counter to 0.
296 */
297 static void
298 aes_set_key(aes_cnt_cipher_t *cipher, const uint8_t *key, int key_bits)
299 {
300 if (should_use_EVP) {
301 const EVP_CIPHER *c = 0;
302 switch (key_bits) {
303 case 128: c = EVP_aes_128_ecb(); break;
304 case 192: c = EVP_aes_192_ecb(); break;
305 case 256: c = EVP_aes_256_ecb(); break;
306 default: tor_assert(0); // LCOV_EXCL_LINE
307 }
308 EVP_EncryptInit(&cipher->key.evp, c, key, NULL);
309 cipher->using_evp = 1;
310 } else {
311 AES_set_encrypt_key(key, key_bits,&cipher->key.aes);
312 cipher->using_evp = 0;
313 }
314
315 #ifdef USING_COUNTER_VARS
316 cipher->counter0 = 0;
317 cipher->counter1 = 0;
318 cipher->counter2 = 0;
319 cipher->counter3 = 0;
320 #endif /* defined(USING_COUNTER_VARS) */
321
322 memset(cipher->ctr_buf.buf, 0, sizeof(cipher->ctr_buf.buf));
323
324 cipher->pos = 0;
325
326 memset(cipher->buf, 0, sizeof(cipher->buf));
327 }
328
329 /** Release storage held by <b>cipher</b>
330 */
331 void
332 aes_cipher_free_(aes_cnt_cipher_t *cipher)
333 {
334 if (!cipher)
335 return;
336 if (cipher->using_evp) {
337 EVP_CIPHER_CTX_cleanup(&cipher->key.evp);
338 }
339 memwipe(cipher, 0, sizeof(aes_cnt_cipher_t));
340 tor_free(cipher);
341 }
342
343 #if defined(USING_COUNTER_VARS)
344 #define UPDATE_CTR_BUF(c, n) STMT_BEGIN \
345 (c)->ctr_buf.buf32[3-(n)] = htonl((c)->counter ## n); \
346 STMT_END
347 #else
348 #define UPDATE_CTR_BUF(c, n)
349 #endif /* defined(USING_COUNTER_VARS) */
350
351 /* Helper function to use EVP with openssl's counter-mode wrapper. */
352 static void
353 evp_block128_fn(const uint8_t in[16],
354 uint8_t out[16],
355 const void *key)
356 {
357 EVP_CIPHER_CTX *ctx = (void*)key;
358 int inl=16, outl=16;
359 EVP_EncryptUpdate(ctx, out, &outl, in, inl);
360 }
361
362 /** Encrypt <b>len</b> bytes from <b>input</b>, storing the results in place.
363 * Uses the key in <b>cipher</b>, and advances the counter by <b>len</b> bytes
364 * as it encrypts.
365 */
366 void
367 aes_crypt_inplace(aes_cnt_cipher_t *cipher, char *data, size_t len)
368 {
369 /* Note that the "128" below refers to the length of the counter,
370 * not the length of the AES key. */
371 if (cipher->using_evp) {
372 /* In openssl 1.0.0, there's an if'd out EVP_aes_128_ctr in evp.h. If
373 * it weren't disabled, it might be better just to use that.
374 */
375 CRYPTO_ctr128_encrypt((const unsigned char *)data,
376 (unsigned char *)data,
377 len,
378 &cipher->key.evp,
379 cipher->ctr_buf.buf,
380 cipher->buf,
381 &cipher->pos,
382 evp_block128_fn);
383 } else {
384 AES_ctr128_encrypt((const unsigned char *)data,
385 (unsigned char *)data,
386 len,
387 &cipher->key.aes,
388 cipher->ctr_buf.buf,
389 cipher->buf,
390 &cipher->pos);
391 }
392 }
393
394 /** Reset the 128-bit counter of <b>cipher</b> to the 16-bit big-endian value
395 * in <b>iv</b>. */
396 static void
397 aes_set_iv(aes_cnt_cipher_t *cipher, const uint8_t *iv)
398 {
399 #ifdef USING_COUNTER_VARS
400 cipher->counter3 = tor_ntohl(get_uint32(iv));
401 cipher->counter2 = tor_ntohl(get_uint32(iv+4));
402 cipher->counter1 = tor_ntohl(get_uint32(iv+8));
403 cipher->counter0 = tor_ntohl(get_uint32(iv+12));
404 #endif /* defined(USING_COUNTER_VARS) */
405 cipher->pos = 0;
406 memcpy(cipher->ctr_buf.buf, iv, 16);
407 }
408
409 #endif /* defined(USE_EVP_AES_CTR) */
The Onion Router