3 * Copyright (c) 2020 Vitaly Chikunov <vt@altlinux.org>
4 * This file is distributed under the same license as OpenSSL
7 #include "gost_grasshopper_cipher.h"
8 #include "gost_grasshopper_defines.h"
9 #include "gost_grasshopper_math.h"
10 #include "gost_grasshopper_core.h"
11 #include "gost_gost2015.h"
13 #include <openssl/evp.h>
14 #include <openssl/rand.h>
15 #include <openssl/err.h>
20 #include "e_gost_err.h"
22 enum GRASSHOPPER_CIPHER_TYPE {
23 GRASSHOPPER_CIPHER_ECB = 0,
24 GRASSHOPPER_CIPHER_CBC,
25 GRASSHOPPER_CIPHER_OFB,
26 GRASSHOPPER_CIPHER_CFB,
27 GRASSHOPPER_CIPHER_CTR,
28 GRASSHOPPER_CIPHER_CTRACPKM,
29 GRASSHOPPER_CIPHER_CTRACPKMOMAC,
30 GRASSHOPPER_CIPHER_MGM,
33 static GOST_cipher grasshopper_template_cipher = {
34 .block_size = GRASSHOPPER_BLOCK_SIZE,
35 .key_len = GRASSHOPPER_KEY_SIZE,
36 .flags = EVP_CIPH_RAND_KEY |
37 EVP_CIPH_ALWAYS_CALL_INIT,
38 .cleanup = gost_grasshopper_cipher_cleanup,
39 .ctx_size = sizeof(gost_grasshopper_cipher_ctx),
40 .set_asn1_parameters = gost_grasshopper_set_asn1_parameters,
41 .get_asn1_parameters = gost_grasshopper_get_asn1_parameters,
42 .ctrl = gost_grasshopper_cipher_ctl,
45 GOST_cipher grasshopper_ecb_cipher = {
46 .nid = NID_grasshopper_ecb,
47 .template = &grasshopper_template_cipher,
48 .flags = EVP_CIPH_ECB_MODE,
49 .init = gost_grasshopper_cipher_init_ecb,
50 .do_cipher = gost_grasshopper_cipher_do_ecb,
53 GOST_cipher grasshopper_cbc_cipher = {
54 .nid = NID_grasshopper_cbc,
55 .template = &grasshopper_template_cipher,
57 .flags = EVP_CIPH_CBC_MODE |
59 .init = gost_grasshopper_cipher_init_cbc,
60 .do_cipher = gost_grasshopper_cipher_do_cbc,
63 GOST_cipher grasshopper_ofb_cipher = {
64 .nid = NID_grasshopper_ofb,
65 .template = &grasshopper_template_cipher,
68 .flags = EVP_CIPH_OFB_MODE |
71 .init = gost_grasshopper_cipher_init_ofb,
72 .do_cipher = gost_grasshopper_cipher_do_ofb,
75 GOST_cipher grasshopper_cfb_cipher = {
76 .nid = NID_grasshopper_cfb,
77 .template = &grasshopper_template_cipher,
80 .flags = EVP_CIPH_CFB_MODE |
83 .init = gost_grasshopper_cipher_init_cfb,
84 .do_cipher = gost_grasshopper_cipher_do_cfb,
87 GOST_cipher grasshopper_ctr_cipher = {
88 .nid = NID_grasshopper_ctr,
89 .template = &grasshopper_template_cipher,
92 .flags = EVP_CIPH_CTR_MODE |
95 .init = gost_grasshopper_cipher_init_ctr,
96 .do_cipher = gost_grasshopper_cipher_do_ctr,
97 .ctx_size = sizeof(gost_grasshopper_cipher_ctx_ctr),
100 GOST_cipher grasshopper_ctr_acpkm_cipher = {
101 .nid = NID_kuznyechik_ctr_acpkm,
102 .template = &grasshopper_template_cipher,
105 .flags = EVP_CIPH_CTR_MODE |
106 EVP_CIPH_NO_PADDING |
108 .init = gost_grasshopper_cipher_init_ctracpkm,
109 .do_cipher = gost_grasshopper_cipher_do_ctracpkm,
110 .ctx_size = sizeof(gost_grasshopper_cipher_ctx_ctr),
113 GOST_cipher grasshopper_ctr_acpkm_omac_cipher = {
114 .nid = NID_kuznyechik_ctr_acpkm_omac,
115 .template = &grasshopper_template_cipher,
118 .flags = EVP_CIPH_CTR_MODE |
119 EVP_CIPH_NO_PADDING |
121 EVP_CIPH_FLAG_CUSTOM_CIPHER |
122 EVP_CIPH_FLAG_CIPHER_WITH_MAC |
123 EVP_CIPH_CUSTOM_COPY,
124 .init = gost_grasshopper_cipher_init_ctracpkm_omac,
125 .do_cipher = gost_grasshopper_cipher_do_ctracpkm_omac,
126 .ctx_size = sizeof(gost_grasshopper_cipher_ctx_ctr),
129 GOST_cipher grasshopper_mgm_cipher = {
130 .nid = NID_kuznyechik_mgm,
131 .template = &grasshopper_template_cipher,
134 .flags = EVP_CIPH_NO_PADDING |
135 EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER |
136 EVP_CIPH_CTRL_INIT | EVP_CIPH_FLAG_AEAD_CIPHER,
137 .cleanup = gost_grasshopper_mgm_cleanup,
138 .ctrl = gost_grasshopper_mgm_ctrl,
139 .init = gost_grasshopper_cipher_init_mgm,
140 .do_cipher = gost_grasshopper_cipher_do_mgm,
141 .ctx_size = sizeof(gost_mgm_ctx)
144 /* first 256 bit of D from draft-irtf-cfrg-re-keying-12 */
145 static const unsigned char ACPKM_D_2018[] = {
146 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, /* 64 bit */
147 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f, /* 128 bit */
148 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
149 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f, /* 256 bit */
152 static void acpkm_next(gost_grasshopper_cipher_ctx * c)
154 unsigned char newkey[GRASSHOPPER_KEY_SIZE];
155 const int J = GRASSHOPPER_KEY_SIZE / GRASSHOPPER_BLOCK_SIZE;
158 for (n = 0; n < J; n++) {
159 const unsigned char *D_n = &ACPKM_D_2018[n * GRASSHOPPER_BLOCK_SIZE];
161 grasshopper_encrypt_block(&c->encrypt_round_keys,
162 (grasshopper_w128_t *) D_n,
163 (grasshopper_w128_t *) & newkey[n *
164 GRASSHOPPER_BLOCK_SIZE],
167 gost_grasshopper_cipher_key(c, newkey);
170 /* Set 256 bit key into context */
171 static GRASSHOPPER_INLINE void
172 gost_grasshopper_cipher_key(gost_grasshopper_cipher_ctx * c, const uint8_t *k)
175 for (i = 0; i < 2; i++) {
176 grasshopper_copy128(&c->key.k.k[i],
177 (const grasshopper_w128_t *)(k + i * 16));
180 grasshopper_set_encrypt_key(&c->encrypt_round_keys, &c->key);
181 grasshopper_set_decrypt_key(&c->decrypt_round_keys, &c->key);
184 /* Set master 256-bit key to be used in TLSTREE calculation into context */
185 static GRASSHOPPER_INLINE void
186 gost_grasshopper_master_key(gost_grasshopper_cipher_ctx * c, const uint8_t *k)
189 for (i = 0; i < 2; i++) {
190 grasshopper_copy128(&c->master_key.k.k[i],
191 (const grasshopper_w128_t *)(k + i * 16));
195 /* Cleans up key from context */
196 static GRASSHOPPER_INLINE void
197 gost_grasshopper_cipher_destroy(gost_grasshopper_cipher_ctx * c)
200 for (i = 0; i < 2; i++) {
201 grasshopper_zero128(&c->key.k.k[i]);
202 grasshopper_zero128(&c->master_key.k.k[i]);
204 for (i = 0; i < GRASSHOPPER_ROUND_KEYS_COUNT; i++) {
205 grasshopper_zero128(&c->encrypt_round_keys.k[i]);
207 for (i = 0; i < GRASSHOPPER_ROUND_KEYS_COUNT; i++) {
208 grasshopper_zero128(&c->decrypt_round_keys.k[i]);
210 grasshopper_zero128(&c->buffer);
213 static GRASSHOPPER_INLINE void
214 gost_grasshopper_cipher_destroy_ctr(gost_grasshopper_cipher_ctx * c)
216 gost_grasshopper_cipher_ctx_ctr *ctx =
217 (gost_grasshopper_cipher_ctx_ctr *) c;
220 EVP_MD_CTX_free(ctx->omac_ctx);
222 grasshopper_zero128(&ctx->partial_buffer);
225 static int gost_grasshopper_cipher_init(EVP_CIPHER_CTX *ctx,
226 const unsigned char *key,
227 const unsigned char *iv, int enc)
229 gost_grasshopper_cipher_ctx *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
231 if (EVP_CIPHER_CTX_get_app_data(ctx) == NULL) {
232 EVP_CIPHER_CTX_set_app_data(ctx, EVP_CIPHER_CTX_get_cipher_data(ctx));
233 if (enc && c->type == GRASSHOPPER_CIPHER_CTRACPKM) {
234 gost_grasshopper_cipher_ctx_ctr *ctr = EVP_CIPHER_CTX_get_cipher_data(ctx);
235 if (init_zero_kdf_seed(ctr->kdf_seed) == 0)
241 gost_grasshopper_cipher_key(c, key);
242 gost_grasshopper_master_key(c, key);
246 memcpy((unsigned char *)EVP_CIPHER_CTX_original_iv(ctx), iv,
247 EVP_CIPHER_CTX_iv_length(ctx));
250 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx),
251 EVP_CIPHER_CTX_original_iv(ctx), EVP_CIPHER_CTX_iv_length(ctx));
253 grasshopper_zero128(&c->buffer);
258 static GRASSHOPPER_INLINE int
259 gost_grasshopper_cipher_init_ecb(EVP_CIPHER_CTX *ctx, const unsigned char
260 *key, const unsigned char
263 gost_grasshopper_cipher_ctx *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
264 c->type = GRASSHOPPER_CIPHER_ECB;
265 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
268 static GRASSHOPPER_INLINE int
269 gost_grasshopper_cipher_init_cbc(EVP_CIPHER_CTX *ctx, const unsigned char
270 *key, const unsigned char
273 gost_grasshopper_cipher_ctx *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
274 c->type = GRASSHOPPER_CIPHER_CBC;
275 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
278 static GRASSHOPPER_INLINE
279 int gost_grasshopper_cipher_init_ofb(EVP_CIPHER_CTX *ctx, const unsigned char
280 *key, const unsigned char
283 gost_grasshopper_cipher_ctx *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
284 c->type = GRASSHOPPER_CIPHER_OFB;
285 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
288 static GRASSHOPPER_INLINE int
289 gost_grasshopper_cipher_init_cfb(EVP_CIPHER_CTX *ctx, const unsigned char
290 *key, const unsigned char
293 gost_grasshopper_cipher_ctx *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
294 c->type = GRASSHOPPER_CIPHER_CFB;
295 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
298 static GRASSHOPPER_INLINE int
299 gost_grasshopper_cipher_init_ctr(EVP_CIPHER_CTX *ctx, const unsigned char
300 *key, const unsigned char
303 gost_grasshopper_cipher_ctx_ctr *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
305 c->c.type = GRASSHOPPER_CIPHER_CTR;
306 EVP_CIPHER_CTX_set_num(ctx, 0);
308 grasshopper_zero128(&c->partial_buffer);
310 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
313 static GRASSHOPPER_INLINE int
314 gost_grasshopper_cipher_init_ctracpkm(EVP_CIPHER_CTX
316 char *key, const unsigned
319 gost_grasshopper_cipher_ctx_ctr *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
321 /* NB: setting type makes EVP do_cipher callback useless */
322 c->c.type = GRASSHOPPER_CIPHER_CTRACPKM;
323 EVP_CIPHER_CTX_set_num(ctx, 0);
324 c->section_size = 4096;
326 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
329 static GRASSHOPPER_INLINE int
330 gost_grasshopper_cipher_init_ctracpkm_omac(EVP_CIPHER_CTX
332 char *key, const unsigned
335 gost_grasshopper_cipher_ctx_ctr *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
337 /* NB: setting type makes EVP do_cipher callback useless */
338 c->c.type = GRASSHOPPER_CIPHER_CTRACPKMOMAC;
339 EVP_CIPHER_CTX_set_num(ctx, 0);
340 c->section_size = 4096;
343 unsigned char cipher_key[32];
344 c->omac_ctx = EVP_MD_CTX_new();
346 if (c->omac_ctx == NULL) {
347 GOSTerr(GOST_F_GOST_GRASSHOPPER_CIPHER_INIT_CTRACPKM_OMAC, ERR_R_MALLOC_FAILURE);
351 if (gost2015_acpkm_omac_init(NID_kuznyechik_mac, enc, key,
352 c->omac_ctx, cipher_key, c->kdf_seed) != 1) {
353 EVP_MD_CTX_free(c->omac_ctx);
358 return gost_grasshopper_cipher_init(ctx, cipher_key, iv, enc);
361 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
364 // TODO: const *in, const *c
365 void gost_grasshopper_encrypt_wrap(unsigned char *in, unsigned char *out,
366 gost_grasshopper_cipher_ctx *c) {
367 grasshopper_encrypt_block(&c->encrypt_round_keys,
368 (grasshopper_w128_t *) in,
369 (grasshopper_w128_t *) out,
375 /* ----------------------------------------------------------------------------------------------- */
376 /*! Функция реализует операцию умножения двух элементов конечного поля \f$ \mathbb F_{2^{128}}\f$,
377 порожденного неприводимым многочленом
378 \f$ f(x) = x^{128} + x^7 + x^2 + x + 1 \in \mathbb F_2[x]\f$. Для умножения используется
379 простейшая реализация, основанная на приведении по модулю после каждого шага алгоритма. */
380 /* ----------------------------------------------------------------------------------------------- */
381 static void gf128_mul_uint64 (uint64_t *result, uint64_t *arg1, uint64_t *arg2)
384 register uint64_t t, X0, X1;
385 uint64_t Z0 = 0, Z1 = 0;
388 X0 = BSWAP64(*(arg1 + 1));
395 //first 64 bits of arg1
397 t = BSWAP64(*(arg2 + 1));
402 for (i = 0; i < 64; i++) {
408 if (X1 & 0x8000000000000000) {
421 //second 64 bits of arg2
428 for (i = 0; i < 63; i++) {
434 if (X1 & 0x8000000000000000) {
453 result[0] = BSWAP64(Z1);
454 result[1] = BSWAP64(Z0);
461 static GRASSHOPPER_INLINE int
462 gost_grasshopper_cipher_init_mgm(EVP_CIPHER_CTX *ctx, const unsigned char *key,
463 const unsigned char *iv, int enc)
466 (gost_mgm_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx);
472 bl = EVP_CIPHER_CTX_iv_length(ctx);
473 gost_grasshopper_cipher_key(&mctx->ks.gh_ks, key);
474 gost_mgm128_init(&mctx->mgm, &mctx->ks,
475 (block128_f) gost_grasshopper_encrypt_wrap, gf128_mul_uint64, bl);
478 * If we have an iv can set it directly, otherwise use saved IV.
480 if (iv == NULL && mctx->iv_set)
483 if (gost_mgm128_setiv(&mctx->mgm, iv, mctx->ivlen) != 1)
489 /* If key set use IV, otherwise copy */
491 if (gost_mgm128_setiv(&mctx->mgm, iv, mctx->ivlen) != 1)
495 memcpy(mctx->iv, iv, mctx->ivlen);
501 static int gost_grasshopper_cipher_do_ecb(EVP_CIPHER_CTX *ctx, unsigned char *out,
502 const unsigned char *in, size_t inl)
504 gost_grasshopper_cipher_ctx *c =
505 (gost_grasshopper_cipher_ctx *) EVP_CIPHER_CTX_get_cipher_data(ctx);
506 bool encrypting = (bool) EVP_CIPHER_CTX_encrypting(ctx);
507 const unsigned char *current_in = in;
508 unsigned char *current_out = out;
509 size_t blocks = inl / GRASSHOPPER_BLOCK_SIZE;
512 for (i = 0; i < blocks;
513 i++, current_in += GRASSHOPPER_BLOCK_SIZE, current_out +=
514 GRASSHOPPER_BLOCK_SIZE) {
516 grasshopper_encrypt_block(&c->encrypt_round_keys,
517 (grasshopper_w128_t *) current_in,
518 (grasshopper_w128_t *) current_out,
521 grasshopper_decrypt_block(&c->decrypt_round_keys,
522 (grasshopper_w128_t *) current_in,
523 (grasshopper_w128_t *) current_out,
531 static int gost_grasshopper_cipher_do_cbc(EVP_CIPHER_CTX *ctx, unsigned char *out,
532 const unsigned char *in, size_t inl)
534 gost_grasshopper_cipher_ctx *c =
535 (gost_grasshopper_cipher_ctx *) EVP_CIPHER_CTX_get_cipher_data(ctx);
536 unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
537 bool encrypting = (bool) EVP_CIPHER_CTX_encrypting(ctx);
538 const unsigned char *current_in = in;
539 unsigned char *current_out = out;
540 size_t blocks = inl / GRASSHOPPER_BLOCK_SIZE;
542 grasshopper_w128_t *currentBlock;
544 currentBlock = (grasshopper_w128_t *) iv;
546 for (i = 0; i < blocks;
547 i++, current_in += GRASSHOPPER_BLOCK_SIZE, current_out +=
548 GRASSHOPPER_BLOCK_SIZE) {
549 grasshopper_w128_t *currentInputBlock = (grasshopper_w128_t *) current_in;
550 grasshopper_w128_t *currentOutputBlock = (grasshopper_w128_t *) current_out;
552 grasshopper_append128(currentBlock, currentInputBlock);
553 grasshopper_encrypt_block(&c->encrypt_round_keys, currentBlock,
554 currentOutputBlock, &c->buffer);
555 grasshopper_copy128(currentBlock, currentOutputBlock);
557 grasshopper_w128_t tmp;
559 grasshopper_copy128(&tmp, currentInputBlock);
560 grasshopper_decrypt_block(&c->decrypt_round_keys,
561 currentInputBlock, currentOutputBlock,
563 grasshopper_append128(currentOutputBlock, currentBlock);
564 grasshopper_copy128(currentBlock, &tmp);
571 void inc_counter(unsigned char *counter, size_t counter_bytes)
573 unsigned int n = counter_bytes;
586 /* increment counter (128-bit int) by 1 */
587 static void ctr128_inc(unsigned char *counter)
589 inc_counter(counter, 16);
592 static int gost_grasshopper_cipher_do_ctr(EVP_CIPHER_CTX *ctx, unsigned char *out,
593 const unsigned char *in, size_t inl)
595 gost_grasshopper_cipher_ctx_ctr *c = (gost_grasshopper_cipher_ctx_ctr *)
596 EVP_CIPHER_CTX_get_cipher_data(ctx);
597 unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
598 const unsigned char *current_in = in;
599 unsigned char *current_out = out;
600 grasshopper_w128_t *currentInputBlock;
601 grasshopper_w128_t *currentOutputBlock;
602 unsigned int n = EVP_CIPHER_CTX_num(ctx);
606 grasshopper_w128_t *iv_buffer;
607 grasshopper_w128_t tmp;
609 while (n && lasted) {
610 *(current_out++) = *(current_in++) ^ c->partial_buffer.b[n];
612 n = (n + 1) % GRASSHOPPER_BLOCK_SIZE;
614 EVP_CIPHER_CTX_set_num(ctx, n);
615 blocks = lasted / GRASSHOPPER_BLOCK_SIZE;
617 iv_buffer = (grasshopper_w128_t *) iv;
620 for (i = 0; i < blocks; i++) {
621 currentInputBlock = (grasshopper_w128_t *) current_in;
622 currentOutputBlock = (grasshopper_w128_t *) current_out;
623 grasshopper_encrypt_block(&c->c.encrypt_round_keys, iv_buffer,
624 &c->partial_buffer, &c->c.buffer);
625 grasshopper_plus128(&tmp, &c->partial_buffer, currentInputBlock);
626 grasshopper_copy128(currentOutputBlock, &tmp);
627 ctr128_inc(iv_buffer->b);
628 current_in += GRASSHOPPER_BLOCK_SIZE;
629 current_out += GRASSHOPPER_BLOCK_SIZE;
630 lasted -= GRASSHOPPER_BLOCK_SIZE;
634 currentInputBlock = (grasshopper_w128_t *) current_in;
635 currentOutputBlock = (grasshopper_w128_t *) current_out;
636 grasshopper_encrypt_block(&c->c.encrypt_round_keys, iv_buffer,
637 &c->partial_buffer, &c->c.buffer);
638 for (i = 0; i < lasted; i++) {
639 currentOutputBlock->b[i] =
640 c->partial_buffer.b[i] ^ currentInputBlock->b[i];
642 EVP_CIPHER_CTX_set_num(ctx, i);
643 ctr128_inc(iv_buffer->b);
649 #define GRASSHOPPER_BLOCK_MASK (GRASSHOPPER_BLOCK_SIZE - 1)
650 static inline void apply_acpkm_grasshopper(gost_grasshopper_cipher_ctx_ctr *
651 ctx, unsigned int *num)
653 if (!ctx->section_size || (*num < ctx->section_size))
656 *num &= GRASSHOPPER_BLOCK_MASK;
659 /* If meshing is not configured via ctrl (setting section_size)
660 * this function works exactly like plain ctr */
661 static int gost_grasshopper_cipher_do_ctracpkm(EVP_CIPHER_CTX *ctx,
663 const unsigned char *in,
666 gost_grasshopper_cipher_ctx_ctr *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
667 unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
668 unsigned int num = EVP_CIPHER_CTX_num(ctx);
669 size_t blocks, i, lasted = inl;
670 grasshopper_w128_t tmp;
672 while ((num & GRASSHOPPER_BLOCK_MASK) && lasted) {
673 *out++ = *in++ ^ c->partial_buffer.b[num & GRASSHOPPER_BLOCK_MASK];
677 blocks = lasted / GRASSHOPPER_BLOCK_SIZE;
680 for (i = 0; i < blocks; i++) {
681 apply_acpkm_grasshopper(c, &num);
682 grasshopper_encrypt_block(&c->c.encrypt_round_keys,
683 (grasshopper_w128_t *) iv,
684 (grasshopper_w128_t *) & c->partial_buffer,
686 grasshopper_plus128(&tmp, &c->partial_buffer,
687 (grasshopper_w128_t *) in);
688 grasshopper_copy128((grasshopper_w128_t *) out, &tmp);
690 in += GRASSHOPPER_BLOCK_SIZE;
691 out += GRASSHOPPER_BLOCK_SIZE;
692 num += GRASSHOPPER_BLOCK_SIZE;
693 lasted -= GRASSHOPPER_BLOCK_SIZE;
698 apply_acpkm_grasshopper(c, &num);
699 grasshopper_encrypt_block(&c->c.encrypt_round_keys,
700 (grasshopper_w128_t *) iv,
701 &c->partial_buffer, &c->c.buffer);
702 for (i = 0; i < lasted; i++)
703 out[i] = c->partial_buffer.b[i] ^ in[i];
707 EVP_CIPHER_CTX_set_num(ctx, num);
712 static int gost_grasshopper_cipher_do_ctracpkm_omac(EVP_CIPHER_CTX *ctx,
714 const unsigned char *in,
718 gost_grasshopper_cipher_ctx_ctr *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
719 /* As in and out can be the same pointer, process unencrypted here */
720 if (EVP_CIPHER_CTX_encrypting(ctx))
721 EVP_DigestSignUpdate(c->omac_ctx, in, inl);
723 if (in == NULL && inl == 0) { /* Final call */
724 return gost2015_final_call(ctx, c->omac_ctx, KUZNYECHIK_MAC_MAX_SIZE, c->tag, gost_grasshopper_cipher_do_ctracpkm);
728 GOSTerr(GOST_F_GOST_GRASSHOPPER_CIPHER_DO_CTRACPKM_OMAC, ERR_R_EVP_LIB);
731 result = gost_grasshopper_cipher_do_ctracpkm(ctx, out, in, inl);
733 /* As in and out can be the same pointer, process decrypted here */
734 if (!EVP_CIPHER_CTX_encrypting(ctx))
735 EVP_DigestSignUpdate(c->omac_ctx, out, inl);
742 static int gost_grasshopper_cipher_do_mgm(EVP_CIPHER_CTX *ctx, unsigned char *out,
743 const unsigned char *in, size_t len)
746 (gost_mgm_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx);
747 int enc = EVP_CIPHER_CTX_encrypting(ctx);
749 /* If not set up, return error */
750 if (!mctx->key_set) {
751 GOSTerr(GOST_F_GOST_GRASSHOPPER_CIPHER_DO_MGM,
757 GOSTerr(GOST_F_GOST_GRASSHOPPER_CIPHER_DO_MGM,
763 if (gost_mgm128_aad(&mctx->mgm, in, len))
766 if (gost_mgm128_encrypt(&mctx->mgm, in, out, len))
769 if (gost_mgm128_decrypt(&mctx->mgm, in, out, len))
775 if (mctx->taglen < 0)
777 if (gost_mgm128_finish(&mctx->mgm,
778 EVP_CIPHER_CTX_buf_noconst(ctx),
784 gost_mgm128_tag(&mctx->mgm, EVP_CIPHER_CTX_buf_noconst(ctx), 16);
786 /* Don't reuse the IV */
794 * Fixed 128-bit IV implementation make shift regiser redundant.
796 static void gost_grasshopper_cnt_next(gost_grasshopper_cipher_ctx * ctx,
797 grasshopper_w128_t * iv,
798 grasshopper_w128_t * buf)
800 grasshopper_w128_t tmp;
801 memcpy(&tmp, iv, 16);
802 grasshopper_encrypt_block(&ctx->encrypt_round_keys, &tmp,
807 static int gost_grasshopper_cipher_do_ofb(EVP_CIPHER_CTX *ctx, unsigned char *out,
808 const unsigned char *in, size_t inl)
810 gost_grasshopper_cipher_ctx *c = (gost_grasshopper_cipher_ctx *)
811 EVP_CIPHER_CTX_get_cipher_data(ctx);
812 const unsigned char *in_ptr = in;
813 unsigned char *out_ptr = out;
814 unsigned char *buf = EVP_CIPHER_CTX_buf_noconst(ctx);
815 unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
816 int num = EVP_CIPHER_CTX_num(ctx);
820 /* process partial block if any */
822 for (j = (size_t)num, i = 0; j < GRASSHOPPER_BLOCK_SIZE && i < inl;
823 j++, i++, in_ptr++, out_ptr++) {
824 *out_ptr = buf[j] ^ (*in_ptr);
826 if (j == GRASSHOPPER_BLOCK_SIZE) {
827 EVP_CIPHER_CTX_set_num(ctx, 0);
829 EVP_CIPHER_CTX_set_num(ctx, (int)j);
834 for (; i + GRASSHOPPER_BLOCK_SIZE <
836 i += GRASSHOPPER_BLOCK_SIZE, in_ptr +=
837 GRASSHOPPER_BLOCK_SIZE, out_ptr += GRASSHOPPER_BLOCK_SIZE) {
839 * block cipher current iv
842 gost_grasshopper_cnt_next(c, (grasshopper_w128_t *) iv,
843 (grasshopper_w128_t *) buf);
846 * xor next block of input text with it and output it
851 for (j = 0; j < GRASSHOPPER_BLOCK_SIZE; j++) {
852 out_ptr[j] = buf[j] ^ in_ptr[j];
856 /* Process rest of buffer */
858 gost_grasshopper_cnt_next(c, (grasshopper_w128_t *) iv,
859 (grasshopper_w128_t *) buf);
860 for (j = 0; i < inl; j++, i++) {
861 out_ptr[j] = buf[j] ^ in_ptr[j];
863 EVP_CIPHER_CTX_set_num(ctx, (int)j);
865 EVP_CIPHER_CTX_set_num(ctx, 0);
871 static int gost_grasshopper_cipher_do_cfb(EVP_CIPHER_CTX *ctx, unsigned char *out,
872 const unsigned char *in, size_t inl)
874 gost_grasshopper_cipher_ctx *c =
875 (gost_grasshopper_cipher_ctx *) EVP_CIPHER_CTX_get_cipher_data(ctx);
876 const unsigned char *in_ptr = in;
877 unsigned char *out_ptr = out;
878 unsigned char *buf = EVP_CIPHER_CTX_buf_noconst(ctx);
879 unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
880 bool encrypting = (bool) EVP_CIPHER_CTX_encrypting(ctx);
881 int num = EVP_CIPHER_CTX_num(ctx);
885 /* process partial block if any */
887 for (j = (size_t)num, i = 0; j < GRASSHOPPER_BLOCK_SIZE && i < inl;
888 j++, i++, in_ptr++, out_ptr++) {
890 buf[j + GRASSHOPPER_BLOCK_SIZE] = *in_ptr;
892 *out_ptr = buf[j] ^ (*in_ptr);
894 buf[j + GRASSHOPPER_BLOCK_SIZE] = *out_ptr;
897 if (j == GRASSHOPPER_BLOCK_SIZE) {
898 memcpy(iv, buf + GRASSHOPPER_BLOCK_SIZE, GRASSHOPPER_BLOCK_SIZE);
899 EVP_CIPHER_CTX_set_num(ctx, 0);
901 EVP_CIPHER_CTX_set_num(ctx, (int)j);
906 for (; i + GRASSHOPPER_BLOCK_SIZE <
908 i += GRASSHOPPER_BLOCK_SIZE, in_ptr +=
909 GRASSHOPPER_BLOCK_SIZE, out_ptr += GRASSHOPPER_BLOCK_SIZE) {
911 * block cipher current iv
913 grasshopper_encrypt_block(&c->encrypt_round_keys,
914 (grasshopper_w128_t *) iv,
915 (grasshopper_w128_t *) buf, &c->buffer);
917 * xor next block of input text with it and output it
923 memcpy(iv, in_ptr, GRASSHOPPER_BLOCK_SIZE);
925 for (j = 0; j < GRASSHOPPER_BLOCK_SIZE; j++) {
926 out_ptr[j] = buf[j] ^ in_ptr[j];
929 /* Next iv is next block of cipher text */
931 memcpy(iv, out_ptr, GRASSHOPPER_BLOCK_SIZE);
935 /* Process rest of buffer */
937 grasshopper_encrypt_block(&c->encrypt_round_keys,
938 (grasshopper_w128_t *) iv,
939 (grasshopper_w128_t *) buf, &c->buffer);
941 memcpy(buf + GRASSHOPPER_BLOCK_SIZE, in_ptr, inl - i);
943 for (j = 0; i < inl; j++, i++) {
944 out_ptr[j] = buf[j] ^ in_ptr[j];
946 EVP_CIPHER_CTX_set_num(ctx, (int)j);
948 memcpy(buf + GRASSHOPPER_BLOCK_SIZE, out_ptr, j);
951 EVP_CIPHER_CTX_set_num(ctx, 0);
957 static int gost_grasshopper_cipher_cleanup(EVP_CIPHER_CTX *ctx)
959 gost_grasshopper_cipher_ctx *c =
960 (gost_grasshopper_cipher_ctx *) EVP_CIPHER_CTX_get_cipher_data(ctx);
965 if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_CTR_MODE)
966 gost_grasshopper_cipher_destroy_ctr(c);
968 EVP_CIPHER_CTX_set_app_data(ctx, NULL);
973 static int gost_grasshopper_set_asn1_parameters(EVP_CIPHER_CTX *ctx, ASN1_TYPE *params)
975 if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_CTR_MODE) {
976 gost_grasshopper_cipher_ctx_ctr *ctr = EVP_CIPHER_CTX_get_cipher_data(ctx);
978 /* CMS implies 256kb section_size */
979 ctr->section_size = 256*1024;
981 return gost2015_set_asn1_params(params,
982 EVP_CIPHER_CTX_original_iv(ctx), 8, ctr->kdf_seed);
987 static GRASSHOPPER_INLINE int
988 gost_grasshopper_get_asn1_parameters(EVP_CIPHER_CTX *ctx, ASN1_TYPE *params)
990 if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_CTR_MODE) {
991 gost_grasshopper_cipher_ctx_ctr *ctr = EVP_CIPHER_CTX_get_cipher_data(ctx);
994 unsigned char iv[16];
996 if (gost2015_get_asn1_params(params, 16, iv, 8, ctr->kdf_seed) == 0) {
1000 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, iv_len);
1001 memcpy((unsigned char *)EVP_CIPHER_CTX_original_iv(ctx), iv, iv_len);
1003 /* CMS implies 256kb section_size */
1004 ctr->section_size = 256*1024;
1010 static int gost_grasshopper_mgm_cleanup(EVP_CIPHER_CTX *c)
1012 gost_mgm_ctx *mctx =
1013 (gost_mgm_ctx *)EVP_CIPHER_CTX_get_cipher_data(c);
1016 gost_grasshopper_cipher_destroy(&mctx->ks.gh_ks);
1017 OPENSSL_cleanse(&mctx->mgm, sizeof(mctx->mgm));
1018 if (mctx->iv != EVP_CIPHER_CTX_iv_noconst(c))
1019 OPENSSL_free(mctx->iv);
1023 static int gost_grasshopper_mgm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1025 gost_mgm_ctx *mctx =
1026 (gost_mgm_ctx *)EVP_CIPHER_CTX_get_cipher_data(c);
1027 unsigned char *buf, *iv;
1032 ivlen = EVP_CIPHER_iv_length(EVP_CIPHER_CTX_cipher(c));
1033 iv = EVP_CIPHER_CTX_iv_noconst(c);
1036 mctx->ivlen = ivlen;
1041 case EVP_CTRL_GET_IVLEN:
1042 *(int *)ptr = mctx->ivlen;
1045 case EVP_CTRL_AEAD_SET_IVLEN:
1048 if ((arg > EVP_MAX_IV_LENGTH) && (arg > mctx->ivlen)) {
1049 // TODO: Allocate memory for IV or set error
1055 case EVP_CTRL_AEAD_SET_TAG:
1056 buf = EVP_CIPHER_CTX_buf_noconst(c);
1057 enc = EVP_CIPHER_CTX_encrypting(c);
1058 if (arg <= 0 || arg != 16 || enc) {
1059 GOSTerr(GOST_F_GOST_GRASSHOPPER_MGM_CTRL,
1060 GOST_R_INVALID_TAG_LENGTH);
1063 memcpy(buf, ptr, arg);
1067 case EVP_CTRL_AEAD_GET_TAG:
1068 buf = EVP_CIPHER_CTX_buf_noconst(c);
1069 enc = EVP_CIPHER_CTX_encrypting(c);
1070 if (arg <= 0 || arg > 16 || !enc || mctx->taglen < 0) {
1071 GOSTerr(GOST_F_GOST_GRASSHOPPER_MGM_CTRL,
1072 GOST_R_INVALID_TAG_LENGTH);
1075 memcpy(ptr, buf, arg);
1083 static int gost_grasshopper_cipher_ctl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
1086 case EVP_CTRL_RAND_KEY:{
1088 ((unsigned char *)ptr, EVP_CIPHER_CTX_key_length(ctx)) <= 0) {
1089 GOSTerr(GOST_F_GOST_GRASSHOPPER_CIPHER_CTL, GOST_R_RNG_ERROR);
1094 case EVP_CTRL_KEY_MESH:{
1095 gost_grasshopper_cipher_ctx_ctr *c =
1096 EVP_CIPHER_CTX_get_cipher_data(ctx);
1097 if ((c->c.type != GRASSHOPPER_CIPHER_CTRACPKM &&
1098 c->c.type != GRASSHOPPER_CIPHER_CTRACPKMOMAC)
1100 || (arg % GRASSHOPPER_BLOCK_SIZE))
1102 c->section_size = arg;
1105 #ifdef EVP_CTRL_TLS1_2_TLSTREE
1106 case EVP_CTRL_TLS1_2_TLSTREE:
1108 unsigned char newkey[32];
1109 int mode = EVP_CIPHER_CTX_mode(ctx);
1110 static const unsigned char zeroseq[8];
1111 gost_grasshopper_cipher_ctx_ctr *ctr_ctx = NULL;
1112 gost_grasshopper_cipher_ctx *c = NULL;
1114 unsigned char adjusted_iv[16];
1115 unsigned char seq[8];
1117 if (mode != EVP_CIPH_CTR_MODE)
1120 ctr_ctx = (gost_grasshopper_cipher_ctx_ctr *)
1121 EVP_CIPHER_CTX_get_cipher_data(ctx);
1124 memcpy(seq, ptr, 8);
1125 if (EVP_CIPHER_CTX_encrypting(ctx)) {
1127 * OpenSSL increments seq after mac calculation.
1128 * As we have Mac-Then-Encrypt, we need decrement it here on encryption
1129 * to derive the key correctly.
1131 if (memcmp(seq, zeroseq, 8) != 0)
1135 if (seq[j] != 0) {seq[j]--; break;}
1140 if (gost_tlstree(NID_grasshopper_cbc, c->master_key.k.b, newkey,
1141 (const unsigned char *)seq) > 0) {
1142 memset(adjusted_iv, 0, 16);
1143 memcpy(adjusted_iv, EVP_CIPHER_CTX_original_iv(ctx), 8);
1144 for(j=7,carry=0; j>=0; j--)
1146 int adj_byte = adjusted_iv[j]+seq[j]+carry;
1147 carry = (adj_byte > 255) ? 1 : 0;
1148 adjusted_iv[j] = adj_byte & 0xFF;
1150 EVP_CIPHER_CTX_set_num(ctx, 0);
1151 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), adjusted_iv, 16);
1153 gost_grasshopper_cipher_key(c, newkey);
1160 case EVP_CTRL_AEAD_GET_TAG:
1161 case EVP_CTRL_AEAD_SET_TAG:
1164 unsigned char *tag = ptr;
1166 gost_grasshopper_cipher_ctx *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
1167 if (c->c.type != GRASSHOPPER_CIPHER_MGM)
1170 if (taglen > KUZNYECHIK_MAC_MAX_SIZE) {
1171 CRYPTOCOMerr(CRYPTOCOM_F_GOST_GRASSHOPPER_CIPHER_CTL,
1172 CRYPTOCOM_R_INVALID_TAG_LENGTH);
1176 if (type == EVP_CTRL_AEAD_GET_TAG)
1177 memcpy(tag, c->final_tag, taglen);
1179 memcpy(c->final_tag, tag, taglen);
1184 case EVP_CTRL_PROCESS_UNPROTECTED:
1186 STACK_OF(X509_ATTRIBUTE) *x = ptr;
1187 gost_grasshopper_cipher_ctx_ctr *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
1189 if (c->c.type != GRASSHOPPER_CIPHER_CTRACPKMOMAC)
1192 return gost2015_process_unprotected_attributes(x, arg, KUZNYECHIK_MAC_MAX_SIZE, c->tag);
1195 case EVP_CTRL_COPY: {
1196 EVP_CIPHER_CTX *out = ptr;
1198 gost_grasshopper_cipher_ctx_ctr *out_cctx = EVP_CIPHER_CTX_get_cipher_data(out);
1199 gost_grasshopper_cipher_ctx_ctr *in_cctx = EVP_CIPHER_CTX_get_cipher_data(ctx);
1201 if (in_cctx->c.type != GRASSHOPPER_CIPHER_CTRACPKMOMAC)
1204 if (in_cctx->omac_ctx == out_cctx->omac_ctx) {
1205 out_cctx->omac_ctx = EVP_MD_CTX_new();
1206 if (out_cctx->omac_ctx == NULL) {
1207 GOSTerr(GOST_F_GOST_GRASSHOPPER_CIPHER_CTL, ERR_R_MALLOC_FAILURE);
1211 return EVP_MD_CTX_copy(out_cctx->omac_ctx, in_cctx->omac_ctx);
1214 GOSTerr(GOST_F_GOST_GRASSHOPPER_CIPHER_CTL,
1215 GOST_R_UNSUPPORTED_CIPHER_CTL_COMMAND);
1221 /* Called directly by CMAC_ACPKM_Init() */
1222 const GRASSHOPPER_INLINE EVP_CIPHER *cipher_gost_grasshopper_ctracpkm()
1224 return GOST_init_cipher(&grasshopper_ctr_acpkm_cipher);
1226 /* vim: set expandtab cinoptions=\:0,l1,t0,g0,(0 sw=4 : */
projects / openssl-gost / engine.git / blob