3 * Copyright (c) 2020 Vitaly Chikunov <vt@altlinux.org>
4 * This file is distributed under the same license as OpenSSL
7 #include "gost_grasshopper_cipher.h"
8 #include "gost_grasshopper_defines.h"
9 #include "gost_grasshopper_math.h"
10 #include "gost_grasshopper_core.h"
11 #include "gost_gost2015.h"
13 #include <openssl/evp.h>
14 #include <openssl/rand.h>
15 #include <openssl/err.h>
20 #include "e_gost_err.h"
22 enum GRASSHOPPER_CIPHER_TYPE {
23 GRASSHOPPER_CIPHER_ECB = 0,
24 GRASSHOPPER_CIPHER_CBC,
25 GRASSHOPPER_CIPHER_OFB,
26 GRASSHOPPER_CIPHER_CFB,
27 GRASSHOPPER_CIPHER_CTR,
28 GRASSHOPPER_CIPHER_CTRACPKM,
29 GRASSHOPPER_CIPHER_CTRACPKMOMAC,
30 GRASSHOPPER_CIPHER_MGM,
33 static GOST_cipher grasshopper_template_cipher = {
34 .block_size = GRASSHOPPER_BLOCK_SIZE,
35 .key_len = GRASSHOPPER_KEY_SIZE,
36 .flags = EVP_CIPH_RAND_KEY |
37 EVP_CIPH_ALWAYS_CALL_INIT,
38 .cleanup = gost_grasshopper_cipher_cleanup,
39 .ctx_size = sizeof(gost_grasshopper_cipher_ctx),
40 .set_asn1_parameters = gost_grasshopper_set_asn1_parameters,
41 .get_asn1_parameters = gost_grasshopper_get_asn1_parameters,
42 .ctrl = gost_grasshopper_cipher_ctl,
45 GOST_cipher grasshopper_ecb_cipher = {
46 .nid = NID_grasshopper_ecb,
47 .template = &grasshopper_template_cipher,
48 .flags = EVP_CIPH_ECB_MODE,
49 .init = gost_grasshopper_cipher_init_ecb,
50 .do_cipher = gost_grasshopper_cipher_do_ecb,
53 GOST_cipher grasshopper_cbc_cipher = {
54 .nid = NID_grasshopper_cbc,
55 .template = &grasshopper_template_cipher,
57 .flags = EVP_CIPH_CBC_MODE |
59 .init = gost_grasshopper_cipher_init_cbc,
60 .do_cipher = gost_grasshopper_cipher_do_cbc,
63 GOST_cipher grasshopper_ofb_cipher = {
64 .nid = NID_grasshopper_ofb,
65 .template = &grasshopper_template_cipher,
68 .flags = EVP_CIPH_OFB_MODE |
71 .init = gost_grasshopper_cipher_init_ofb,
72 .do_cipher = gost_grasshopper_cipher_do_ofb,
75 GOST_cipher grasshopper_cfb_cipher = {
76 .nid = NID_grasshopper_cfb,
77 .template = &grasshopper_template_cipher,
80 .flags = EVP_CIPH_CFB_MODE |
83 .init = gost_grasshopper_cipher_init_cfb,
84 .do_cipher = gost_grasshopper_cipher_do_cfb,
87 GOST_cipher grasshopper_ctr_cipher = {
88 .nid = NID_grasshopper_ctr,
89 .template = &grasshopper_template_cipher,
92 .flags = EVP_CIPH_CTR_MODE |
95 .init = gost_grasshopper_cipher_init_ctr,
96 .do_cipher = gost_grasshopper_cipher_do_ctr,
97 .ctx_size = sizeof(gost_grasshopper_cipher_ctx_ctr),
100 GOST_cipher grasshopper_ctr_acpkm_cipher = {
101 .nid = NID_kuznyechik_ctr_acpkm,
102 .template = &grasshopper_template_cipher,
105 .flags = EVP_CIPH_CTR_MODE |
106 EVP_CIPH_NO_PADDING |
108 .init = gost_grasshopper_cipher_init_ctracpkm,
109 .do_cipher = gost_grasshopper_cipher_do_ctracpkm,
110 .ctx_size = sizeof(gost_grasshopper_cipher_ctx_ctr),
113 GOST_cipher grasshopper_ctr_acpkm_omac_cipher = {
114 .nid = NID_kuznyechik_ctr_acpkm_omac,
115 .template = &grasshopper_template_cipher,
118 .flags = EVP_CIPH_CTR_MODE |
119 EVP_CIPH_NO_PADDING |
121 EVP_CIPH_FLAG_CUSTOM_CIPHER |
122 EVP_CIPH_FLAG_CIPHER_WITH_MAC |
123 EVP_CIPH_CUSTOM_COPY,
124 .init = gost_grasshopper_cipher_init_ctracpkm_omac,
125 .do_cipher = gost_grasshopper_cipher_do_ctracpkm_omac,
126 .ctx_size = sizeof(gost_grasshopper_cipher_ctx_ctr),
129 GOST_cipher grasshopper_mgm_cipher = {
130 .nid = NID_kuznyechik_mgm,
131 .template = &grasshopper_template_cipher,
134 .flags = EVP_CIPH_NO_PADDING |
135 EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER |
136 EVP_CIPH_CTRL_INIT | EVP_CIPH_FLAG_AEAD_CIPHER,
137 .cleanup = gost_grasshopper_mgm_cleanup,
138 .ctrl = gost_grasshopper_mgm_ctrl,
139 .init = gost_grasshopper_cipher_init_mgm,
140 .do_cipher = gost_grasshopper_cipher_do_mgm,
141 .ctx_size = sizeof(gost_mgm_ctx)
144 /* first 256 bit of D from draft-irtf-cfrg-re-keying-12 */
145 static const unsigned char ACPKM_D_2018[] = {
146 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, /* 64 bit */
147 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f, /* 128 bit */
148 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
149 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f, /* 256 bit */
152 static void acpkm_next(gost_grasshopper_cipher_ctx * c)
154 unsigned char newkey[GRASSHOPPER_KEY_SIZE];
155 const int J = GRASSHOPPER_KEY_SIZE / GRASSHOPPER_BLOCK_SIZE;
158 for (n = 0; n < J; n++) {
159 const unsigned char *D_n = &ACPKM_D_2018[n * GRASSHOPPER_BLOCK_SIZE];
161 grasshopper_encrypt_block(&c->encrypt_round_keys,
162 (grasshopper_w128_t *) D_n,
163 (grasshopper_w128_t *) & newkey[n *
164 GRASSHOPPER_BLOCK_SIZE],
167 gost_grasshopper_cipher_key(c, newkey);
170 /* Set 256 bit key into context */
171 static GRASSHOPPER_INLINE void
172 gost_grasshopper_cipher_key(gost_grasshopper_cipher_ctx * c, const uint8_t *k)
175 for (i = 0; i < 2; i++) {
176 grasshopper_copy128(&c->key.k.k[i],
177 (const grasshopper_w128_t *)(k + i * 16));
180 grasshopper_set_encrypt_key(&c->encrypt_round_keys, &c->key);
181 grasshopper_set_decrypt_key(&c->decrypt_round_keys, &c->key);
184 /* Set master 256-bit key to be used in TLSTREE calculation into context */
185 static GRASSHOPPER_INLINE void
186 gost_grasshopper_master_key(gost_grasshopper_cipher_ctx * c, const uint8_t *k)
189 for (i = 0; i < 2; i++) {
190 grasshopper_copy128(&c->master_key.k.k[i],
191 (const grasshopper_w128_t *)(k + i * 16));
195 /* Cleans up key from context */
196 static GRASSHOPPER_INLINE void
197 gost_grasshopper_cipher_destroy(gost_grasshopper_cipher_ctx * c)
200 for (i = 0; i < 2; i++) {
201 grasshopper_zero128(&c->key.k.k[i]);
202 grasshopper_zero128(&c->master_key.k.k[i]);
204 for (i = 0; i < GRASSHOPPER_ROUND_KEYS_COUNT; i++) {
205 grasshopper_zero128(&c->encrypt_round_keys.k[i]);
207 for (i = 0; i < GRASSHOPPER_ROUND_KEYS_COUNT; i++) {
208 grasshopper_zero128(&c->decrypt_round_keys.k[i]);
210 grasshopper_zero128(&c->buffer);
213 static GRASSHOPPER_INLINE void
214 gost_grasshopper_cipher_destroy_ctr(gost_grasshopper_cipher_ctx * c)
216 gost_grasshopper_cipher_ctx_ctr *ctx =
217 (gost_grasshopper_cipher_ctx_ctr *) c;
220 EVP_MD_CTX_free(ctx->omac_ctx);
222 grasshopper_zero128(&ctx->partial_buffer);
225 static int gost_grasshopper_cipher_init(EVP_CIPHER_CTX *ctx,
226 const unsigned char *key,
227 const unsigned char *iv, int enc)
229 gost_grasshopper_cipher_ctx *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
231 if (EVP_CIPHER_CTX_get_app_data(ctx) == NULL) {
232 EVP_CIPHER_CTX_set_app_data(ctx, EVP_CIPHER_CTX_get_cipher_data(ctx));
233 if (enc && c->type == GRASSHOPPER_CIPHER_CTRACPKM) {
234 gost_grasshopper_cipher_ctx_ctr *ctr = EVP_CIPHER_CTX_get_cipher_data(ctx);
235 if (init_zero_kdf_seed(ctr->kdf_seed) == 0)
241 gost_grasshopper_cipher_key(c, key);
242 gost_grasshopper_master_key(c, key);
246 memcpy((unsigned char *)EVP_CIPHER_CTX_original_iv(ctx), iv,
247 EVP_CIPHER_CTX_iv_length(ctx));
250 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx),
251 EVP_CIPHER_CTX_original_iv(ctx), EVP_CIPHER_CTX_iv_length(ctx));
253 grasshopper_zero128(&c->buffer);
258 static GRASSHOPPER_INLINE int
259 gost_grasshopper_cipher_init_ecb(EVP_CIPHER_CTX *ctx, const unsigned char
260 *key, const unsigned char
263 gost_grasshopper_cipher_ctx *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
264 c->type = GRASSHOPPER_CIPHER_ECB;
265 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
268 static GRASSHOPPER_INLINE int
269 gost_grasshopper_cipher_init_cbc(EVP_CIPHER_CTX *ctx, const unsigned char
270 *key, const unsigned char
273 gost_grasshopper_cipher_ctx *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
274 c->type = GRASSHOPPER_CIPHER_CBC;
275 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
278 static GRASSHOPPER_INLINE
279 int gost_grasshopper_cipher_init_ofb(EVP_CIPHER_CTX *ctx, const unsigned char
280 *key, const unsigned char
283 gost_grasshopper_cipher_ctx *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
284 c->type = GRASSHOPPER_CIPHER_OFB;
285 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
288 static GRASSHOPPER_INLINE int
289 gost_grasshopper_cipher_init_cfb(EVP_CIPHER_CTX *ctx, const unsigned char
290 *key, const unsigned char
293 gost_grasshopper_cipher_ctx *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
294 c->type = GRASSHOPPER_CIPHER_CFB;
295 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
298 static GRASSHOPPER_INLINE int
299 gost_grasshopper_cipher_init_ctr(EVP_CIPHER_CTX *ctx, const unsigned char
300 *key, const unsigned char
303 gost_grasshopper_cipher_ctx_ctr *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
305 c->c.type = GRASSHOPPER_CIPHER_CTR;
306 EVP_CIPHER_CTX_set_num(ctx, 0);
308 grasshopper_zero128(&c->partial_buffer);
310 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
313 static GRASSHOPPER_INLINE int
314 gost_grasshopper_cipher_init_ctracpkm(EVP_CIPHER_CTX
316 char *key, const unsigned
319 gost_grasshopper_cipher_ctx_ctr *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
321 /* NB: setting type makes EVP do_cipher callback useless */
322 c->c.type = GRASSHOPPER_CIPHER_CTRACPKM;
323 EVP_CIPHER_CTX_set_num(ctx, 0);
324 c->section_size = 4096;
326 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
329 static GRASSHOPPER_INLINE int
330 gost_grasshopper_cipher_init_ctracpkm_omac(EVP_CIPHER_CTX
332 char *key, const unsigned
335 gost_grasshopper_cipher_ctx_ctr *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
337 /* NB: setting type makes EVP do_cipher callback useless */
338 c->c.type = GRASSHOPPER_CIPHER_CTRACPKMOMAC;
339 EVP_CIPHER_CTX_set_num(ctx, 0);
340 c->section_size = 4096;
343 unsigned char cipher_key[32];
344 c->omac_ctx = EVP_MD_CTX_new();
346 if (c->omac_ctx == NULL) {
347 GOSTerr(GOST_F_GOST_GRASSHOPPER_CIPHER_INIT_CTRACPKM_OMAC, ERR_R_MALLOC_FAILURE);
351 if (gost2015_acpkm_omac_init(NID_kuznyechik_mac, enc, key,
352 c->omac_ctx, cipher_key, c->kdf_seed) != 1) {
353 EVP_MD_CTX_free(c->omac_ctx);
358 return gost_grasshopper_cipher_init(ctx, cipher_key, iv, enc);
361 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
364 // TODO: const *in, const *c
365 void gost_grasshopper_encrypt_wrap(unsigned char *in, unsigned char *out,
366 gost_grasshopper_cipher_ctx *c) {
367 grasshopper_encrypt_block(&c->encrypt_round_keys,
368 (grasshopper_w128_t *) in,
369 (grasshopper_w128_t *) out,
375 /* ----------------------------------------------------------------------------------------------- */
376 /*! Функция реализует операцию умножения двух элементов конечного поля \f$ \mathbb F_{2^{128}}\f$,
377 порожденного неприводимым многочленом
378 \f$ f(x) = x^{128} + x^7 + x^2 + x + 1 \in \mathbb F_2[x]\f$. Для умножения используется
379 простейшая реализация, основанная на приведении по модулю после каждого шага алгоритма. */
380 /* ----------------------------------------------------------------------------------------------- */
381 static void gf128_mul_uint64 (uint64_t *result, uint64_t *arg1, uint64_t *arg2)
384 register uint64_t t, X0, X1;
385 uint64_t Z0 = 0, Z1 = 0;
388 X0 = BSWAP64(*(arg1 + 1));
395 //first 64 bits of arg1
397 t = BSWAP64(*(arg2 + 1));
402 for (i = 0; i < 64; i++) {
408 if (X1 & 0x8000000000000000) {
421 //second 64 bits of arg2
428 for (i = 0; i < 63; i++) {
434 if (X1 & 0x8000000000000000) {
453 result[0] = BSWAP64(Z1);
454 result[1] = BSWAP64(Z0);
461 static GRASSHOPPER_INLINE int
462 gost_grasshopper_cipher_init_mgm(EVP_CIPHER_CTX *ctx, const unsigned char *key,
463 const unsigned char *iv, int enc)
466 (gost_mgm_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx);
472 bl = EVP_CIPHER_CTX_iv_length(ctx);
473 gost_grasshopper_cipher_key(&mctx->ks.gh_ks, key);
474 gost_grasshopper_master_key(&mctx->ks.gh_ks, key);
475 gost_mgm128_init(&mctx->mgm, &mctx->ks,
476 (block128_f) gost_grasshopper_encrypt_wrap, gf128_mul_uint64, bl);
479 * If we have an iv can set it directly, otherwise use saved IV.
481 if (iv == NULL && mctx->iv_set)
484 if (gost_mgm128_setiv(&mctx->mgm, iv, mctx->ivlen) != 1)
490 /* If key set use IV, otherwise copy */
492 if (gost_mgm128_setiv(&mctx->mgm, iv, mctx->ivlen) != 1)
496 memcpy(mctx->iv, iv, mctx->ivlen);
502 static int gost_grasshopper_cipher_do_ecb(EVP_CIPHER_CTX *ctx, unsigned char *out,
503 const unsigned char *in, size_t inl)
505 gost_grasshopper_cipher_ctx *c =
506 (gost_grasshopper_cipher_ctx *) EVP_CIPHER_CTX_get_cipher_data(ctx);
507 bool encrypting = (bool) EVP_CIPHER_CTX_encrypting(ctx);
508 const unsigned char *current_in = in;
509 unsigned char *current_out = out;
510 size_t blocks = inl / GRASSHOPPER_BLOCK_SIZE;
513 for (i = 0; i < blocks;
514 i++, current_in += GRASSHOPPER_BLOCK_SIZE, current_out +=
515 GRASSHOPPER_BLOCK_SIZE) {
517 grasshopper_encrypt_block(&c->encrypt_round_keys,
518 (grasshopper_w128_t *) current_in,
519 (grasshopper_w128_t *) current_out,
522 grasshopper_decrypt_block(&c->decrypt_round_keys,
523 (grasshopper_w128_t *) current_in,
524 (grasshopper_w128_t *) current_out,
532 static int gost_grasshopper_cipher_do_cbc(EVP_CIPHER_CTX *ctx, unsigned char *out,
533 const unsigned char *in, size_t inl)
535 gost_grasshopper_cipher_ctx *c =
536 (gost_grasshopper_cipher_ctx *) EVP_CIPHER_CTX_get_cipher_data(ctx);
537 unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
538 bool encrypting = (bool) EVP_CIPHER_CTX_encrypting(ctx);
539 const unsigned char *current_in = in;
540 unsigned char *current_out = out;
541 size_t blocks = inl / GRASSHOPPER_BLOCK_SIZE;
543 grasshopper_w128_t *currentBlock;
545 currentBlock = (grasshopper_w128_t *) iv;
547 for (i = 0; i < blocks;
548 i++, current_in += GRASSHOPPER_BLOCK_SIZE, current_out +=
549 GRASSHOPPER_BLOCK_SIZE) {
550 grasshopper_w128_t *currentInputBlock = (grasshopper_w128_t *) current_in;
551 grasshopper_w128_t *currentOutputBlock = (grasshopper_w128_t *) current_out;
553 grasshopper_append128(currentBlock, currentInputBlock);
554 grasshopper_encrypt_block(&c->encrypt_round_keys, currentBlock,
555 currentOutputBlock, &c->buffer);
556 grasshopper_copy128(currentBlock, currentOutputBlock);
558 grasshopper_w128_t tmp;
560 grasshopper_copy128(&tmp, currentInputBlock);
561 grasshopper_decrypt_block(&c->decrypt_round_keys,
562 currentInputBlock, currentOutputBlock,
564 grasshopper_append128(currentOutputBlock, currentBlock);
565 grasshopper_copy128(currentBlock, &tmp);
572 void inc_counter(unsigned char *counter, size_t counter_bytes)
574 unsigned int n = counter_bytes;
587 /* increment counter (128-bit int) by 1 */
588 static void ctr128_inc(unsigned char *counter)
590 inc_counter(counter, 16);
593 static int gost_grasshopper_cipher_do_ctr(EVP_CIPHER_CTX *ctx, unsigned char *out,
594 const unsigned char *in, size_t inl)
596 gost_grasshopper_cipher_ctx_ctr *c = (gost_grasshopper_cipher_ctx_ctr *)
597 EVP_CIPHER_CTX_get_cipher_data(ctx);
598 unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
599 const unsigned char *current_in = in;
600 unsigned char *current_out = out;
601 grasshopper_w128_t *currentInputBlock;
602 grasshopper_w128_t *currentOutputBlock;
603 unsigned int n = EVP_CIPHER_CTX_num(ctx);
607 grasshopper_w128_t *iv_buffer;
608 grasshopper_w128_t tmp;
610 while (n && lasted) {
611 *(current_out++) = *(current_in++) ^ c->partial_buffer.b[n];
613 n = (n + 1) % GRASSHOPPER_BLOCK_SIZE;
615 EVP_CIPHER_CTX_set_num(ctx, n);
616 blocks = lasted / GRASSHOPPER_BLOCK_SIZE;
618 iv_buffer = (grasshopper_w128_t *) iv;
621 for (i = 0; i < blocks; i++) {
622 currentInputBlock = (grasshopper_w128_t *) current_in;
623 currentOutputBlock = (grasshopper_w128_t *) current_out;
624 grasshopper_encrypt_block(&c->c.encrypt_round_keys, iv_buffer,
625 &c->partial_buffer, &c->c.buffer);
626 grasshopper_plus128(&tmp, &c->partial_buffer, currentInputBlock);
627 grasshopper_copy128(currentOutputBlock, &tmp);
628 ctr128_inc(iv_buffer->b);
629 current_in += GRASSHOPPER_BLOCK_SIZE;
630 current_out += GRASSHOPPER_BLOCK_SIZE;
631 lasted -= GRASSHOPPER_BLOCK_SIZE;
635 currentInputBlock = (grasshopper_w128_t *) current_in;
636 currentOutputBlock = (grasshopper_w128_t *) current_out;
637 grasshopper_encrypt_block(&c->c.encrypt_round_keys, iv_buffer,
638 &c->partial_buffer, &c->c.buffer);
639 for (i = 0; i < lasted; i++) {
640 currentOutputBlock->b[i] =
641 c->partial_buffer.b[i] ^ currentInputBlock->b[i];
643 EVP_CIPHER_CTX_set_num(ctx, i);
644 ctr128_inc(iv_buffer->b);
650 #define GRASSHOPPER_BLOCK_MASK (GRASSHOPPER_BLOCK_SIZE - 1)
651 static inline void apply_acpkm_grasshopper(gost_grasshopper_cipher_ctx_ctr *
652 ctx, unsigned int *num)
654 if (!ctx->section_size || (*num < ctx->section_size))
657 *num &= GRASSHOPPER_BLOCK_MASK;
660 /* If meshing is not configured via ctrl (setting section_size)
661 * this function works exactly like plain ctr */
662 static int gost_grasshopper_cipher_do_ctracpkm(EVP_CIPHER_CTX *ctx,
664 const unsigned char *in,
667 gost_grasshopper_cipher_ctx_ctr *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
668 unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
669 unsigned int num = EVP_CIPHER_CTX_num(ctx);
670 size_t blocks, i, lasted = inl;
671 grasshopper_w128_t tmp;
673 while ((num & GRASSHOPPER_BLOCK_MASK) && lasted) {
674 *out++ = *in++ ^ c->partial_buffer.b[num & GRASSHOPPER_BLOCK_MASK];
678 blocks = lasted / GRASSHOPPER_BLOCK_SIZE;
681 for (i = 0; i < blocks; i++) {
682 apply_acpkm_grasshopper(c, &num);
683 grasshopper_encrypt_block(&c->c.encrypt_round_keys,
684 (grasshopper_w128_t *) iv,
685 (grasshopper_w128_t *) & c->partial_buffer,
687 grasshopper_plus128(&tmp, &c->partial_buffer,
688 (grasshopper_w128_t *) in);
689 grasshopper_copy128((grasshopper_w128_t *) out, &tmp);
691 in += GRASSHOPPER_BLOCK_SIZE;
692 out += GRASSHOPPER_BLOCK_SIZE;
693 num += GRASSHOPPER_BLOCK_SIZE;
694 lasted -= GRASSHOPPER_BLOCK_SIZE;
699 apply_acpkm_grasshopper(c, &num);
700 grasshopper_encrypt_block(&c->c.encrypt_round_keys,
701 (grasshopper_w128_t *) iv,
702 &c->partial_buffer, &c->c.buffer);
703 for (i = 0; i < lasted; i++)
704 out[i] = c->partial_buffer.b[i] ^ in[i];
708 EVP_CIPHER_CTX_set_num(ctx, num);
713 static int gost_grasshopper_cipher_do_ctracpkm_omac(EVP_CIPHER_CTX *ctx,
715 const unsigned char *in,
719 gost_grasshopper_cipher_ctx_ctr *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
720 /* As in and out can be the same pointer, process unencrypted here */
721 if (EVP_CIPHER_CTX_encrypting(ctx))
722 EVP_DigestSignUpdate(c->omac_ctx, in, inl);
724 if (in == NULL && inl == 0) { /* Final call */
725 return gost2015_final_call(ctx, c->omac_ctx, KUZNYECHIK_MAC_MAX_SIZE, c->tag, gost_grasshopper_cipher_do_ctracpkm);
729 GOSTerr(GOST_F_GOST_GRASSHOPPER_CIPHER_DO_CTRACPKM_OMAC, ERR_R_EVP_LIB);
732 result = gost_grasshopper_cipher_do_ctracpkm(ctx, out, in, inl);
734 /* As in and out can be the same pointer, process decrypted here */
735 if (!EVP_CIPHER_CTX_encrypting(ctx))
736 EVP_DigestSignUpdate(c->omac_ctx, out, inl);
743 static int gost_grasshopper_cipher_do_mgm(EVP_CIPHER_CTX *ctx, unsigned char *out,
744 const unsigned char *in, size_t len)
747 (gost_mgm_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx);
748 int enc = EVP_CIPHER_CTX_encrypting(ctx);
750 /* If not set up, return error */
751 if (!mctx->key_set) {
752 GOSTerr(GOST_F_GOST_GRASSHOPPER_CIPHER_DO_MGM,
758 GOSTerr(GOST_F_GOST_GRASSHOPPER_CIPHER_DO_MGM,
764 if (gost_mgm128_aad(&mctx->mgm, in, len))
767 if (gost_mgm128_encrypt(&mctx->mgm, in, out, len))
770 if (gost_mgm128_decrypt(&mctx->mgm, in, out, len))
776 if (mctx->taglen < 0)
778 if (gost_mgm128_finish(&mctx->mgm,
779 EVP_CIPHER_CTX_buf_noconst(ctx),
785 gost_mgm128_tag(&mctx->mgm, EVP_CIPHER_CTX_buf_noconst(ctx), 16);
787 /* Don't reuse the IV */
795 * Fixed 128-bit IV implementation make shift regiser redundant.
797 static void gost_grasshopper_cnt_next(gost_grasshopper_cipher_ctx * ctx,
798 grasshopper_w128_t * iv,
799 grasshopper_w128_t * buf)
801 grasshopper_w128_t tmp;
802 memcpy(&tmp, iv, 16);
803 grasshopper_encrypt_block(&ctx->encrypt_round_keys, &tmp,
808 static int gost_grasshopper_cipher_do_ofb(EVP_CIPHER_CTX *ctx, unsigned char *out,
809 const unsigned char *in, size_t inl)
811 gost_grasshopper_cipher_ctx *c = (gost_grasshopper_cipher_ctx *)
812 EVP_CIPHER_CTX_get_cipher_data(ctx);
813 const unsigned char *in_ptr = in;
814 unsigned char *out_ptr = out;
815 unsigned char *buf = EVP_CIPHER_CTX_buf_noconst(ctx);
816 unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
817 int num = EVP_CIPHER_CTX_num(ctx);
821 /* process partial block if any */
823 for (j = (size_t)num, i = 0; j < GRASSHOPPER_BLOCK_SIZE && i < inl;
824 j++, i++, in_ptr++, out_ptr++) {
825 *out_ptr = buf[j] ^ (*in_ptr);
827 if (j == GRASSHOPPER_BLOCK_SIZE) {
828 EVP_CIPHER_CTX_set_num(ctx, 0);
830 EVP_CIPHER_CTX_set_num(ctx, (int)j);
835 for (; i + GRASSHOPPER_BLOCK_SIZE <
837 i += GRASSHOPPER_BLOCK_SIZE, in_ptr +=
838 GRASSHOPPER_BLOCK_SIZE, out_ptr += GRASSHOPPER_BLOCK_SIZE) {
840 * block cipher current iv
843 gost_grasshopper_cnt_next(c, (grasshopper_w128_t *) iv,
844 (grasshopper_w128_t *) buf);
847 * xor next block of input text with it and output it
852 for (j = 0; j < GRASSHOPPER_BLOCK_SIZE; j++) {
853 out_ptr[j] = buf[j] ^ in_ptr[j];
857 /* Process rest of buffer */
859 gost_grasshopper_cnt_next(c, (grasshopper_w128_t *) iv,
860 (grasshopper_w128_t *) buf);
861 for (j = 0; i < inl; j++, i++) {
862 out_ptr[j] = buf[j] ^ in_ptr[j];
864 EVP_CIPHER_CTX_set_num(ctx, (int)j);
866 EVP_CIPHER_CTX_set_num(ctx, 0);
872 static int gost_grasshopper_cipher_do_cfb(EVP_CIPHER_CTX *ctx, unsigned char *out,
873 const unsigned char *in, size_t inl)
875 gost_grasshopper_cipher_ctx *c =
876 (gost_grasshopper_cipher_ctx *) EVP_CIPHER_CTX_get_cipher_data(ctx);
877 const unsigned char *in_ptr = in;
878 unsigned char *out_ptr = out;
879 unsigned char *buf = EVP_CIPHER_CTX_buf_noconst(ctx);
880 unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
881 bool encrypting = (bool) EVP_CIPHER_CTX_encrypting(ctx);
882 int num = EVP_CIPHER_CTX_num(ctx);
886 /* process partial block if any */
888 for (j = (size_t)num, i = 0; j < GRASSHOPPER_BLOCK_SIZE && i < inl;
889 j++, i++, in_ptr++, out_ptr++) {
891 buf[j + GRASSHOPPER_BLOCK_SIZE] = *in_ptr;
893 *out_ptr = buf[j] ^ (*in_ptr);
895 buf[j + GRASSHOPPER_BLOCK_SIZE] = *out_ptr;
898 if (j == GRASSHOPPER_BLOCK_SIZE) {
899 memcpy(iv, buf + GRASSHOPPER_BLOCK_SIZE, GRASSHOPPER_BLOCK_SIZE);
900 EVP_CIPHER_CTX_set_num(ctx, 0);
902 EVP_CIPHER_CTX_set_num(ctx, (int)j);
907 for (; i + GRASSHOPPER_BLOCK_SIZE <
909 i += GRASSHOPPER_BLOCK_SIZE, in_ptr +=
910 GRASSHOPPER_BLOCK_SIZE, out_ptr += GRASSHOPPER_BLOCK_SIZE) {
912 * block cipher current iv
914 grasshopper_encrypt_block(&c->encrypt_round_keys,
915 (grasshopper_w128_t *) iv,
916 (grasshopper_w128_t *) buf, &c->buffer);
918 * xor next block of input text with it and output it
924 memcpy(iv, in_ptr, GRASSHOPPER_BLOCK_SIZE);
926 for (j = 0; j < GRASSHOPPER_BLOCK_SIZE; j++) {
927 out_ptr[j] = buf[j] ^ in_ptr[j];
930 /* Next iv is next block of cipher text */
932 memcpy(iv, out_ptr, GRASSHOPPER_BLOCK_SIZE);
936 /* Process rest of buffer */
938 grasshopper_encrypt_block(&c->encrypt_round_keys,
939 (grasshopper_w128_t *) iv,
940 (grasshopper_w128_t *) buf, &c->buffer);
942 memcpy(buf + GRASSHOPPER_BLOCK_SIZE, in_ptr, inl - i);
944 for (j = 0; i < inl; j++, i++) {
945 out_ptr[j] = buf[j] ^ in_ptr[j];
947 EVP_CIPHER_CTX_set_num(ctx, (int)j);
949 memcpy(buf + GRASSHOPPER_BLOCK_SIZE, out_ptr, j);
952 EVP_CIPHER_CTX_set_num(ctx, 0);
958 static int gost_grasshopper_cipher_cleanup(EVP_CIPHER_CTX *ctx)
960 gost_grasshopper_cipher_ctx *c =
961 (gost_grasshopper_cipher_ctx *) EVP_CIPHER_CTX_get_cipher_data(ctx);
966 if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_CTR_MODE)
967 gost_grasshopper_cipher_destroy_ctr(c);
969 EVP_CIPHER_CTX_set_app_data(ctx, NULL);
974 static int gost_grasshopper_set_asn1_parameters(EVP_CIPHER_CTX *ctx, ASN1_TYPE *params)
976 if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_CTR_MODE) {
977 gost_grasshopper_cipher_ctx_ctr *ctr = EVP_CIPHER_CTX_get_cipher_data(ctx);
979 /* CMS implies 256kb section_size */
980 ctr->section_size = 256*1024;
982 return gost2015_set_asn1_params(params,
983 EVP_CIPHER_CTX_original_iv(ctx), 8, ctr->kdf_seed);
988 static GRASSHOPPER_INLINE int
989 gost_grasshopper_get_asn1_parameters(EVP_CIPHER_CTX *ctx, ASN1_TYPE *params)
991 if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_CTR_MODE) {
992 gost_grasshopper_cipher_ctx_ctr *ctr = EVP_CIPHER_CTX_get_cipher_data(ctx);
995 unsigned char iv[16];
997 if (gost2015_get_asn1_params(params, 16, iv, 8, ctr->kdf_seed) == 0) {
1001 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, iv_len);
1002 memcpy((unsigned char *)EVP_CIPHER_CTX_original_iv(ctx), iv, iv_len);
1004 /* CMS implies 256kb section_size */
1005 ctr->section_size = 256*1024;
1011 static int gost_grasshopper_mgm_cleanup(EVP_CIPHER_CTX *c)
1013 gost_mgm_ctx *mctx =
1014 (gost_mgm_ctx *)EVP_CIPHER_CTX_get_cipher_data(c);
1017 gost_grasshopper_cipher_destroy(&mctx->ks.gh_ks);
1018 OPENSSL_cleanse(&mctx->mgm, sizeof(mctx->mgm));
1019 if (mctx->iv != EVP_CIPHER_CTX_iv_noconst(c))
1020 OPENSSL_free(mctx->iv);
1024 static int gost_grasshopper_mgm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1026 gost_mgm_ctx *mctx =
1027 (gost_mgm_ctx *)EVP_CIPHER_CTX_get_cipher_data(c);
1028 unsigned char *buf, *iv;
1033 ivlen = EVP_CIPHER_iv_length(EVP_CIPHER_CTX_cipher(c));
1034 iv = EVP_CIPHER_CTX_iv_noconst(c);
1037 mctx->ivlen = ivlen;
1040 mctx->tlstree_mode = TLSTREE_MODE_NONE;
1043 case EVP_CTRL_GET_IVLEN:
1044 *(int *)ptr = mctx->ivlen;
1047 case EVP_CTRL_AEAD_SET_IVLEN:
1050 if ((arg > EVP_MAX_IV_LENGTH) && (arg > mctx->ivlen)) {
1051 // TODO: Allocate memory for IV or set error
1057 case EVP_CTRL_AEAD_SET_TAG:
1058 buf = EVP_CIPHER_CTX_buf_noconst(c);
1059 enc = EVP_CIPHER_CTX_encrypting(c);
1060 if (arg <= 0 || arg != 16 || enc) {
1061 GOSTerr(GOST_F_GOST_GRASSHOPPER_MGM_CTRL,
1062 GOST_R_INVALID_TAG_LENGTH);
1065 memcpy(buf, ptr, arg);
1069 case EVP_CTRL_AEAD_GET_TAG:
1070 buf = EVP_CIPHER_CTX_buf_noconst(c);
1071 enc = EVP_CIPHER_CTX_encrypting(c);
1072 if (arg <= 0 || arg > 16 || !enc || mctx->taglen < 0) {
1073 GOSTerr(GOST_F_GOST_GRASSHOPPER_MGM_CTRL,
1074 GOST_R_INVALID_TAG_LENGTH);
1077 memcpy(ptr, buf, arg);
1080 case EVP_CTRL_SET_TLSTREE_PARAMS:
1081 if (strcmp((char *)ptr, "short") == 0)
1082 mctx->tlstree_mode = TLSTREE_MODE_S;
1083 else if (strcmp((char *)ptr, "long") == 0)
1084 mctx->tlstree_mode = TLSTREE_MODE_L;
1091 case EVP_CTRL_TLSTREE:
1093 unsigned char newkey[32];
1094 if (gost_tlstree(NID_kuznyechik_mgm,
1095 mctx->ks.gh_ks.master_key.k.b, newkey,
1096 (const unsigned char *)ptr, mctx->tlstree_mode)
1098 gost_grasshopper_cipher_key(&mctx->ks.gh_ks, newkey);
1099 memset(newkey, 0, sizeof(newkey));
1111 static int gost_grasshopper_cipher_ctl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
1114 case EVP_CTRL_RAND_KEY:{
1116 ((unsigned char *)ptr, EVP_CIPHER_CTX_key_length(ctx)) <= 0) {
1117 GOSTerr(GOST_F_GOST_GRASSHOPPER_CIPHER_CTL, GOST_R_RNG_ERROR);
1122 case EVP_CTRL_KEY_MESH:{
1123 gost_grasshopper_cipher_ctx_ctr *c =
1124 EVP_CIPHER_CTX_get_cipher_data(ctx);
1125 if ((c->c.type != GRASSHOPPER_CIPHER_CTRACPKM &&
1126 c->c.type != GRASSHOPPER_CIPHER_CTRACPKMOMAC)
1128 || (arg % GRASSHOPPER_BLOCK_SIZE))
1130 c->section_size = arg;
1133 case EVP_CTRL_TLSTREE:
1135 unsigned char newkey[32];
1136 int mode = EVP_CIPHER_CTX_mode(ctx);
1137 gost_grasshopper_cipher_ctx_ctr *ctr_ctx = NULL;
1138 gost_grasshopper_cipher_ctx *c = NULL;
1140 unsigned char adjusted_iv[16];
1141 unsigned char seq[8];
1142 int j, carry, decrement_arg;
1143 if (mode != EVP_CIPH_CTR_MODE)
1146 ctr_ctx = (gost_grasshopper_cipher_ctx_ctr *)
1147 EVP_CIPHER_CTX_get_cipher_data(ctx);
1151 * 'arg' parameter indicates what we should do with sequence value.
1153 * When function called, seq is incremented after MAC calculation.
1154 * In ETM mode, we use seq 'as is' in the ctrl-function (arg = 0)
1155 * Otherwise we have to decrease it in the implementation (arg = 1).
1157 memcpy(seq, ptr, 8);
1158 decrement_arg = arg;
1159 if (!decrement_sequence(seq, decrement_arg))
1161 GOSTerr(GOST_F_GOST_GRASSHOPPER_CIPHER_CTL, GOST_R_CTRL_CALL_FAILED);
1165 if (gost_tlstree(NID_grasshopper_cbc, c->master_key.k.b, newkey,
1166 (const unsigned char *)seq, TLSTREE_MODE_NONE) > 0) {
1167 memset(adjusted_iv, 0, 16);
1168 memcpy(adjusted_iv, EVP_CIPHER_CTX_original_iv(ctx), 8);
1169 for(j=7,carry=0; j>=0; j--)
1171 int adj_byte = adjusted_iv[j]+seq[j]+carry;
1172 carry = (adj_byte > 255) ? 1 : 0;
1173 adjusted_iv[j] = adj_byte & 0xFF;
1175 EVP_CIPHER_CTX_set_num(ctx, 0);
1176 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), adjusted_iv, 16);
1178 gost_grasshopper_cipher_key(c, newkey);
1184 case EVP_CTRL_AEAD_GET_TAG:
1185 case EVP_CTRL_AEAD_SET_TAG:
1188 unsigned char *tag = ptr;
1190 gost_grasshopper_cipher_ctx *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
1191 if (c->c.type != GRASSHOPPER_CIPHER_MGM)
1194 if (taglen > KUZNYECHIK_MAC_MAX_SIZE) {
1195 CRYPTOCOMerr(CRYPTOCOM_F_GOST_GRASSHOPPER_CIPHER_CTL,
1196 CRYPTOCOM_R_INVALID_TAG_LENGTH);
1200 if (type == EVP_CTRL_AEAD_GET_TAG)
1201 memcpy(tag, c->final_tag, taglen);
1203 memcpy(c->final_tag, tag, taglen);
1208 case EVP_CTRL_PROCESS_UNPROTECTED:
1210 STACK_OF(X509_ATTRIBUTE) *x = ptr;
1211 gost_grasshopper_cipher_ctx_ctr *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
1213 if (c->c.type != GRASSHOPPER_CIPHER_CTRACPKMOMAC)
1216 return gost2015_process_unprotected_attributes(x, arg, KUZNYECHIK_MAC_MAX_SIZE, c->tag);
1219 case EVP_CTRL_COPY: {
1220 EVP_CIPHER_CTX *out = ptr;
1222 gost_grasshopper_cipher_ctx_ctr *out_cctx = EVP_CIPHER_CTX_get_cipher_data(out);
1223 gost_grasshopper_cipher_ctx_ctr *in_cctx = EVP_CIPHER_CTX_get_cipher_data(ctx);
1225 if (in_cctx->c.type != GRASSHOPPER_CIPHER_CTRACPKMOMAC)
1228 if (in_cctx->omac_ctx == out_cctx->omac_ctx) {
1229 out_cctx->omac_ctx = EVP_MD_CTX_new();
1230 if (out_cctx->omac_ctx == NULL) {
1231 GOSTerr(GOST_F_GOST_GRASSHOPPER_CIPHER_CTL, ERR_R_MALLOC_FAILURE);
1235 return EVP_MD_CTX_copy(out_cctx->omac_ctx, in_cctx->omac_ctx);
1238 GOSTerr(GOST_F_GOST_GRASSHOPPER_CIPHER_CTL,
1239 GOST_R_UNSUPPORTED_CIPHER_CTL_COMMAND);
1245 /* Called directly by CMAC_ACPKM_Init() */
1246 const GRASSHOPPER_INLINE EVP_CIPHER *cipher_gost_grasshopper_ctracpkm()
1248 return GOST_init_cipher(&grasshopper_ctr_acpkm_cipher);
1250 /* vim: set expandtab cinoptions=\:0,l1,t0,g0,(0 sw=4 : */
projects / openssl-gost / engine.git / blob