3 * Copyright (c) 2020 Vitaly Chikunov <vt@altlinux.org>
4 * This file is distributed under the same license as OpenSSL
7 #include "gost_grasshopper_cipher.h"
8 #include "gost_grasshopper_defines.h"
9 #include "gost_grasshopper_math.h"
10 #include "gost_grasshopper_core.h"
11 #include "gost_gost2015.h"
13 #include <openssl/evp.h>
14 #include <openssl/rand.h>
15 #include <openssl/err.h>
19 #include "e_gost_err.h"
21 enum GRASSHOPPER_CIPHER_TYPE {
22 GRASSHOPPER_CIPHER_ECB = 0,
23 GRASSHOPPER_CIPHER_CBC,
24 GRASSHOPPER_CIPHER_OFB,
25 GRASSHOPPER_CIPHER_CFB,
26 GRASSHOPPER_CIPHER_CTR,
27 GRASSHOPPER_CIPHER_CTRACPKM,
28 GRASSHOPPER_CIPHER_CTRACPKMOMAC,
29 GRASSHOPPER_CIPHER_MGM,
32 static GOST_cipher grasshopper_template_cipher = {
33 .block_size = GRASSHOPPER_BLOCK_SIZE,
34 .key_len = GRASSHOPPER_KEY_SIZE,
35 .flags = EVP_CIPH_RAND_KEY |
36 EVP_CIPH_ALWAYS_CALL_INIT,
37 .cleanup = gost_grasshopper_cipher_cleanup,
38 .ctx_size = sizeof(gost_grasshopper_cipher_ctx),
39 .set_asn1_parameters = gost_grasshopper_set_asn1_parameters,
40 .get_asn1_parameters = gost_grasshopper_get_asn1_parameters,
41 .ctrl = gost_grasshopper_cipher_ctl,
44 GOST_cipher grasshopper_ecb_cipher = {
45 .nid = NID_grasshopper_ecb,
46 .template = &grasshopper_template_cipher,
47 .flags = EVP_CIPH_ECB_MODE,
48 .init = gost_grasshopper_cipher_init_ecb,
49 .do_cipher = gost_grasshopper_cipher_do_ecb,
52 GOST_cipher grasshopper_cbc_cipher = {
53 .nid = NID_grasshopper_cbc,
54 .template = &grasshopper_template_cipher,
56 .flags = EVP_CIPH_CBC_MODE |
58 .init = gost_grasshopper_cipher_init_cbc,
59 .do_cipher = gost_grasshopper_cipher_do_cbc,
62 GOST_cipher grasshopper_ofb_cipher = {
63 .nid = NID_grasshopper_ofb,
64 .template = &grasshopper_template_cipher,
67 .flags = EVP_CIPH_OFB_MODE |
70 .init = gost_grasshopper_cipher_init_ofb,
71 .do_cipher = gost_grasshopper_cipher_do_ofb,
74 GOST_cipher grasshopper_cfb_cipher = {
75 .nid = NID_grasshopper_cfb,
76 .template = &grasshopper_template_cipher,
79 .flags = EVP_CIPH_CFB_MODE |
82 .init = gost_grasshopper_cipher_init_cfb,
83 .do_cipher = gost_grasshopper_cipher_do_cfb,
86 GOST_cipher grasshopper_ctr_cipher = {
87 .nid = NID_grasshopper_ctr,
88 .template = &grasshopper_template_cipher,
91 .flags = EVP_CIPH_CTR_MODE |
94 .init = gost_grasshopper_cipher_init_ctr,
95 .do_cipher = gost_grasshopper_cipher_do_ctr,
96 .ctx_size = sizeof(gost_grasshopper_cipher_ctx_ctr),
99 GOST_cipher grasshopper_ctr_acpkm_cipher = {
100 .nid = NID_kuznyechik_ctr_acpkm,
101 .template = &grasshopper_template_cipher,
104 .flags = EVP_CIPH_CTR_MODE |
105 EVP_CIPH_NO_PADDING |
107 .init = gost_grasshopper_cipher_init_ctracpkm,
108 .do_cipher = gost_grasshopper_cipher_do_ctracpkm,
109 .ctx_size = sizeof(gost_grasshopper_cipher_ctx_ctr),
112 GOST_cipher grasshopper_ctr_acpkm_omac_cipher = {
113 .nid = NID_kuznyechik_ctr_acpkm_omac,
114 .template = &grasshopper_template_cipher,
117 .flags = EVP_CIPH_CTR_MODE |
118 EVP_CIPH_NO_PADDING |
120 EVP_CIPH_FLAG_CUSTOM_CIPHER |
121 EVP_CIPH_FLAG_CIPHER_WITH_MAC |
122 EVP_CIPH_CUSTOM_COPY,
123 .init = gost_grasshopper_cipher_init_ctracpkm_omac,
124 .do_cipher = gost_grasshopper_cipher_do_ctracpkm_omac,
125 .ctx_size = sizeof(gost_grasshopper_cipher_ctx_ctr),
128 GOST_cipher grasshopper_mgm_cipher = {
130 .template = &grasshopper_template_cipher,
133 .flags = EVP_CIPH_NO_PADDING |
134 EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER |
135 EVP_CIPH_CTRL_INIT | EVP_CIPH_FLAG_AEAD_CIPHER,
136 .cleanup = gost_grasshopper_mgm_cleanup,
137 .ctrl = gost_grasshopper_mgm_ctrl,
138 .init = gost_grasshopper_cipher_init_mgm,
139 .do_cipher = gost_grasshopper_cipher_do_mgm,
140 .ctx_size = sizeof(gost_mgm_ctx)
143 static void kuznyechik_NID_callback (int nid)
145 grasshopper_mgm_cipher.nid = nid;
148 GOST_NID_JOB kuznyechik_mgm_NID = {
149 .sn = SN_kuznyechik_mgm,
150 .ln = SN_kuznyechik_mgm,
151 .callback = kuznyechik_NID_callback,
154 /* first 256 bit of D from draft-irtf-cfrg-re-keying-12 */
155 static const unsigned char ACPKM_D_2018[] = {
156 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, /* 64 bit */
157 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f, /* 128 bit */
158 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
159 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f, /* 256 bit */
162 static void acpkm_next(gost_grasshopper_cipher_ctx * c)
164 unsigned char newkey[GRASSHOPPER_KEY_SIZE];
165 const int J = GRASSHOPPER_KEY_SIZE / GRASSHOPPER_BLOCK_SIZE;
168 for (n = 0; n < J; n++) {
169 const unsigned char *D_n = &ACPKM_D_2018[n * GRASSHOPPER_BLOCK_SIZE];
171 grasshopper_encrypt_block(&c->encrypt_round_keys,
172 (grasshopper_w128_t *) D_n,
173 (grasshopper_w128_t *) & newkey[n *
174 GRASSHOPPER_BLOCK_SIZE],
177 gost_grasshopper_cipher_key(c, newkey);
180 /* Set 256 bit key into context */
181 static GRASSHOPPER_INLINE void
182 gost_grasshopper_cipher_key(gost_grasshopper_cipher_ctx * c, const uint8_t *k)
185 for (i = 0; i < 2; i++) {
186 grasshopper_copy128(&c->key.k.k[i],
187 (const grasshopper_w128_t *)(k + i * 16));
190 grasshopper_set_encrypt_key(&c->encrypt_round_keys, &c->key);
191 grasshopper_set_decrypt_key(&c->decrypt_round_keys, &c->key);
194 /* Set master 256-bit key to be used in TLSTREE calculation into context */
195 static GRASSHOPPER_INLINE void
196 gost_grasshopper_master_key(gost_grasshopper_cipher_ctx * c, const uint8_t *k)
199 for (i = 0; i < 2; i++) {
200 grasshopper_copy128(&c->master_key.k.k[i],
201 (const grasshopper_w128_t *)(k + i * 16));
205 /* Cleans up key from context */
206 static GRASSHOPPER_INLINE void
207 gost_grasshopper_cipher_destroy(gost_grasshopper_cipher_ctx * c)
210 for (i = 0; i < 2; i++) {
211 grasshopper_zero128(&c->key.k.k[i]);
212 grasshopper_zero128(&c->master_key.k.k[i]);
214 for (i = 0; i < GRASSHOPPER_ROUND_KEYS_COUNT; i++) {
215 grasshopper_zero128(&c->encrypt_round_keys.k[i]);
217 for (i = 0; i < GRASSHOPPER_ROUND_KEYS_COUNT; i++) {
218 grasshopper_zero128(&c->decrypt_round_keys.k[i]);
220 grasshopper_zero128(&c->buffer);
223 static GRASSHOPPER_INLINE void
224 gost_grasshopper_cipher_destroy_ctr(gost_grasshopper_cipher_ctx * c)
226 gost_grasshopper_cipher_ctx_ctr *ctx =
227 (gost_grasshopper_cipher_ctx_ctr *) c;
230 EVP_MD_CTX_free(ctx->omac_ctx);
232 grasshopper_zero128(&ctx->partial_buffer);
235 static int gost_grasshopper_cipher_init(EVP_CIPHER_CTX *ctx,
236 const unsigned char *key,
237 const unsigned char *iv, int enc)
239 gost_grasshopper_cipher_ctx *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
241 if (EVP_CIPHER_CTX_get_app_data(ctx) == NULL) {
242 EVP_CIPHER_CTX_set_app_data(ctx, EVP_CIPHER_CTX_get_cipher_data(ctx));
243 if (enc && c->type == GRASSHOPPER_CIPHER_CTRACPKM) {
244 gost_grasshopper_cipher_ctx_ctr *ctr = EVP_CIPHER_CTX_get_cipher_data(ctx);
245 if (init_zero_kdf_seed(ctr->kdf_seed) == 0)
251 gost_grasshopper_cipher_key(c, key);
252 gost_grasshopper_master_key(c, key);
256 memcpy((unsigned char *)EVP_CIPHER_CTX_original_iv(ctx), iv,
257 EVP_CIPHER_CTX_iv_length(ctx));
260 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx),
261 EVP_CIPHER_CTX_original_iv(ctx), EVP_CIPHER_CTX_iv_length(ctx));
263 grasshopper_zero128(&c->buffer);
268 static GRASSHOPPER_INLINE int
269 gost_grasshopper_cipher_init_ecb(EVP_CIPHER_CTX *ctx, const unsigned char
270 *key, const unsigned char
273 gost_grasshopper_cipher_ctx *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
274 c->type = GRASSHOPPER_CIPHER_ECB;
275 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
278 static GRASSHOPPER_INLINE int
279 gost_grasshopper_cipher_init_cbc(EVP_CIPHER_CTX *ctx, const unsigned char
280 *key, const unsigned char
283 gost_grasshopper_cipher_ctx *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
284 c->type = GRASSHOPPER_CIPHER_CBC;
285 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
288 static GRASSHOPPER_INLINE
289 int gost_grasshopper_cipher_init_ofb(EVP_CIPHER_CTX *ctx, const unsigned char
290 *key, const unsigned char
293 gost_grasshopper_cipher_ctx *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
294 c->type = GRASSHOPPER_CIPHER_OFB;
295 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
298 static GRASSHOPPER_INLINE int
299 gost_grasshopper_cipher_init_cfb(EVP_CIPHER_CTX *ctx, const unsigned char
300 *key, const unsigned char
303 gost_grasshopper_cipher_ctx *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
304 c->type = GRASSHOPPER_CIPHER_CFB;
305 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
308 static GRASSHOPPER_INLINE int
309 gost_grasshopper_cipher_init_ctr(EVP_CIPHER_CTX *ctx, const unsigned char
310 *key, const unsigned char
313 gost_grasshopper_cipher_ctx_ctr *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
315 c->c.type = GRASSHOPPER_CIPHER_CTR;
316 EVP_CIPHER_CTX_set_num(ctx, 0);
318 grasshopper_zero128(&c->partial_buffer);
320 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
323 static GRASSHOPPER_INLINE int
324 gost_grasshopper_cipher_init_ctracpkm(EVP_CIPHER_CTX
326 char *key, const unsigned
329 gost_grasshopper_cipher_ctx_ctr *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
331 /* NB: setting type makes EVP do_cipher callback useless */
332 c->c.type = GRASSHOPPER_CIPHER_CTRACPKM;
333 EVP_CIPHER_CTX_set_num(ctx, 0);
334 c->section_size = 4096;
336 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
339 static GRASSHOPPER_INLINE int
340 gost_grasshopper_cipher_init_ctracpkm_omac(EVP_CIPHER_CTX
342 char *key, const unsigned
345 gost_grasshopper_cipher_ctx_ctr *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
347 /* NB: setting type makes EVP do_cipher callback useless */
348 c->c.type = GRASSHOPPER_CIPHER_CTRACPKMOMAC;
349 EVP_CIPHER_CTX_set_num(ctx, 0);
350 c->section_size = 4096;
353 unsigned char cipher_key[32];
354 c->omac_ctx = EVP_MD_CTX_new();
356 if (c->omac_ctx == NULL) {
357 GOSTerr(GOST_F_GOST_GRASSHOPPER_CIPHER_INIT_CTRACPKM_OMAC, ERR_R_MALLOC_FAILURE);
361 if (gost2015_acpkm_omac_init(NID_kuznyechik_mac, enc, key,
362 c->omac_ctx, cipher_key, c->kdf_seed) != 1) {
363 EVP_MD_CTX_free(c->omac_ctx);
368 return gost_grasshopper_cipher_init(ctx, cipher_key, iv, enc);
371 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
374 // TODO: const *in, const *c
375 void gost_grasshopper_encrypt_wrap(unsigned char *in, unsigned char *out,
376 gost_grasshopper_cipher_ctx *c) {
377 grasshopper_encrypt_block(&c->encrypt_round_keys,
378 (grasshopper_w128_t *) in,
379 (grasshopper_w128_t *) out,
385 /* ----------------------------------------------------------------------------------------------- */
386 /*! Функция реализует операцию умножения двух элементов конечного поля \f$ \mathbb F_{2^{128}}\f$,
387 порожденного неприводимым многочленом
388 \f$ f(x) = x^{128} + x^7 + x^2 + x + 1 \in \mathbb F_2[x]\f$. Для умножения используется
389 простейшая реализация, основанная на приведении по модулю после каждого шага алгоритма. */
390 /* ----------------------------------------------------------------------------------------------- */
391 static void gf128_mul_uint64 (uint64_t *result, uint64_t *arg1, uint64_t *arg2)
394 register uint64_t t, X0, X1;
395 uint64_t Z0 = 0, Z1 = 0;
398 X0 = BSWAP64(*(arg1 + 1));
405 //first 64 bits of arg1
407 t = BSWAP64(*(arg2 + 1));
412 for (i = 0; i < 64; i++) {
418 if (X1 & 0x8000000000000000) {
431 //second 64 bits of arg2
438 for (i = 0; i < 63; i++) {
444 if (X1 & 0x8000000000000000) {
463 result[0] = BSWAP64(Z1);
464 result[1] = BSWAP64(Z0);
471 static GRASSHOPPER_INLINE int
472 gost_grasshopper_cipher_init_mgm(EVP_CIPHER_CTX *ctx, const unsigned char *key,
473 const unsigned char *iv, int enc)
476 (gost_mgm_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx);
482 bl = EVP_CIPHER_CTX_iv_length(ctx);
483 gost_grasshopper_cipher_key(&mctx->ks.gh_ks, key);
484 gost_mgm128_init(&mctx->mgm, &mctx->ks,
485 (block128_f) gost_grasshopper_encrypt_wrap, gf128_mul_uint64, bl);
488 * If we have an iv can set it directly, otherwise use saved IV.
490 if (iv == NULL && mctx->iv_set)
493 if (gost_mgm128_setiv(&mctx->mgm, iv, mctx->ivlen) != 1)
499 /* If key set use IV, otherwise copy */
501 if (gost_mgm128_setiv(&mctx->mgm, iv, mctx->ivlen) != 1)
505 memcpy(mctx->iv, iv, mctx->ivlen);
511 static int gost_grasshopper_cipher_do_ecb(EVP_CIPHER_CTX *ctx, unsigned char *out,
512 const unsigned char *in, size_t inl)
514 gost_grasshopper_cipher_ctx *c =
515 (gost_grasshopper_cipher_ctx *) EVP_CIPHER_CTX_get_cipher_data(ctx);
516 bool encrypting = (bool) EVP_CIPHER_CTX_encrypting(ctx);
517 const unsigned char *current_in = in;
518 unsigned char *current_out = out;
519 size_t blocks = inl / GRASSHOPPER_BLOCK_SIZE;
522 for (i = 0; i < blocks;
523 i++, current_in += GRASSHOPPER_BLOCK_SIZE, current_out +=
524 GRASSHOPPER_BLOCK_SIZE) {
526 grasshopper_encrypt_block(&c->encrypt_round_keys,
527 (grasshopper_w128_t *) current_in,
528 (grasshopper_w128_t *) current_out,
531 grasshopper_decrypt_block(&c->decrypt_round_keys,
532 (grasshopper_w128_t *) current_in,
533 (grasshopper_w128_t *) current_out,
541 static int gost_grasshopper_cipher_do_cbc(EVP_CIPHER_CTX *ctx, unsigned char *out,
542 const unsigned char *in, size_t inl)
544 gost_grasshopper_cipher_ctx *c =
545 (gost_grasshopper_cipher_ctx *) EVP_CIPHER_CTX_get_cipher_data(ctx);
546 unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
547 bool encrypting = (bool) EVP_CIPHER_CTX_encrypting(ctx);
548 const unsigned char *current_in = in;
549 unsigned char *current_out = out;
550 size_t blocks = inl / GRASSHOPPER_BLOCK_SIZE;
552 grasshopper_w128_t *currentBlock;
554 currentBlock = (grasshopper_w128_t *) iv;
556 for (i = 0; i < blocks;
557 i++, current_in += GRASSHOPPER_BLOCK_SIZE, current_out +=
558 GRASSHOPPER_BLOCK_SIZE) {
559 grasshopper_w128_t *currentInputBlock = (grasshopper_w128_t *) current_in;
560 grasshopper_w128_t *currentOutputBlock = (grasshopper_w128_t *) current_out;
562 grasshopper_append128(currentBlock, currentInputBlock);
563 grasshopper_encrypt_block(&c->encrypt_round_keys, currentBlock,
564 currentOutputBlock, &c->buffer);
565 grasshopper_copy128(currentBlock, currentOutputBlock);
567 grasshopper_w128_t tmp;
569 grasshopper_copy128(&tmp, currentInputBlock);
570 grasshopper_decrypt_block(&c->decrypt_round_keys,
571 currentInputBlock, currentOutputBlock,
573 grasshopper_append128(currentOutputBlock, currentBlock);
574 grasshopper_copy128(currentBlock, &tmp);
581 void inc_counter(unsigned char *counter, size_t counter_bytes)
583 unsigned int n = counter_bytes;
596 /* increment counter (128-bit int) by 1 */
597 static void ctr128_inc(unsigned char *counter)
599 inc_counter(counter, 16);
602 static int gost_grasshopper_cipher_do_ctr(EVP_CIPHER_CTX *ctx, unsigned char *out,
603 const unsigned char *in, size_t inl)
605 gost_grasshopper_cipher_ctx_ctr *c = (gost_grasshopper_cipher_ctx_ctr *)
606 EVP_CIPHER_CTX_get_cipher_data(ctx);
607 unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
608 const unsigned char *current_in = in;
609 unsigned char *current_out = out;
610 grasshopper_w128_t *currentInputBlock;
611 grasshopper_w128_t *currentOutputBlock;
612 unsigned int n = EVP_CIPHER_CTX_num(ctx);
616 grasshopper_w128_t *iv_buffer;
617 grasshopper_w128_t tmp;
619 while (n && lasted) {
620 *(current_out++) = *(current_in++) ^ c->partial_buffer.b[n];
622 n = (n + 1) % GRASSHOPPER_BLOCK_SIZE;
624 EVP_CIPHER_CTX_set_num(ctx, n);
625 blocks = lasted / GRASSHOPPER_BLOCK_SIZE;
627 iv_buffer = (grasshopper_w128_t *) iv;
630 for (i = 0; i < blocks; i++) {
631 currentInputBlock = (grasshopper_w128_t *) current_in;
632 currentOutputBlock = (grasshopper_w128_t *) current_out;
633 grasshopper_encrypt_block(&c->c.encrypt_round_keys, iv_buffer,
634 &c->partial_buffer, &c->c.buffer);
635 grasshopper_plus128(&tmp, &c->partial_buffer, currentInputBlock);
636 grasshopper_copy128(currentOutputBlock, &tmp);
637 ctr128_inc(iv_buffer->b);
638 current_in += GRASSHOPPER_BLOCK_SIZE;
639 current_out += GRASSHOPPER_BLOCK_SIZE;
640 lasted -= GRASSHOPPER_BLOCK_SIZE;
644 currentInputBlock = (grasshopper_w128_t *) current_in;
645 currentOutputBlock = (grasshopper_w128_t *) current_out;
646 grasshopper_encrypt_block(&c->c.encrypt_round_keys, iv_buffer,
647 &c->partial_buffer, &c->c.buffer);
648 for (i = 0; i < lasted; i++) {
649 currentOutputBlock->b[i] =
650 c->partial_buffer.b[i] ^ currentInputBlock->b[i];
652 EVP_CIPHER_CTX_set_num(ctx, i);
653 ctr128_inc(iv_buffer->b);
659 #define GRASSHOPPER_BLOCK_MASK (GRASSHOPPER_BLOCK_SIZE - 1)
660 static inline void apply_acpkm_grasshopper(gost_grasshopper_cipher_ctx_ctr *
661 ctx, unsigned int *num)
663 if (!ctx->section_size || (*num < ctx->section_size))
666 *num &= GRASSHOPPER_BLOCK_MASK;
669 /* If meshing is not configured via ctrl (setting section_size)
670 * this function works exactly like plain ctr */
671 static int gost_grasshopper_cipher_do_ctracpkm(EVP_CIPHER_CTX *ctx,
673 const unsigned char *in,
676 gost_grasshopper_cipher_ctx_ctr *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
677 unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
678 unsigned int num = EVP_CIPHER_CTX_num(ctx);
679 size_t blocks, i, lasted = inl;
680 grasshopper_w128_t tmp;
682 while ((num & GRASSHOPPER_BLOCK_MASK) && lasted) {
683 *out++ = *in++ ^ c->partial_buffer.b[num & GRASSHOPPER_BLOCK_MASK];
687 blocks = lasted / GRASSHOPPER_BLOCK_SIZE;
690 for (i = 0; i < blocks; i++) {
691 apply_acpkm_grasshopper(c, &num);
692 grasshopper_encrypt_block(&c->c.encrypt_round_keys,
693 (grasshopper_w128_t *) iv,
694 (grasshopper_w128_t *) & c->partial_buffer,
696 grasshopper_plus128(&tmp, &c->partial_buffer,
697 (grasshopper_w128_t *) in);
698 grasshopper_copy128((grasshopper_w128_t *) out, &tmp);
700 in += GRASSHOPPER_BLOCK_SIZE;
701 out += GRASSHOPPER_BLOCK_SIZE;
702 num += GRASSHOPPER_BLOCK_SIZE;
703 lasted -= GRASSHOPPER_BLOCK_SIZE;
708 apply_acpkm_grasshopper(c, &num);
709 grasshopper_encrypt_block(&c->c.encrypt_round_keys,
710 (grasshopper_w128_t *) iv,
711 &c->partial_buffer, &c->c.buffer);
712 for (i = 0; i < lasted; i++)
713 out[i] = c->partial_buffer.b[i] ^ in[i];
717 EVP_CIPHER_CTX_set_num(ctx, num);
722 static int gost_grasshopper_cipher_do_ctracpkm_omac(EVP_CIPHER_CTX *ctx,
724 const unsigned char *in,
728 gost_grasshopper_cipher_ctx_ctr *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
729 /* As in and out can be the same pointer, process unencrypted here */
730 if (EVP_CIPHER_CTX_encrypting(ctx))
731 EVP_DigestSignUpdate(c->omac_ctx, in, inl);
733 if (in == NULL && inl == 0) { /* Final call */
734 return gost2015_final_call(ctx, c->omac_ctx, KUZNYECHIK_MAC_MAX_SIZE, c->tag, gost_grasshopper_cipher_do_ctracpkm);
738 GOSTerr(GOST_F_GOST_GRASSHOPPER_CIPHER_DO_CTRACPKM_OMAC, ERR_R_EVP_LIB);
741 result = gost_grasshopper_cipher_do_ctracpkm(ctx, out, in, inl);
743 /* As in and out can be the same pointer, process decrypted here */
744 if (!EVP_CIPHER_CTX_encrypting(ctx))
745 EVP_DigestSignUpdate(c->omac_ctx, out, inl);
752 static int gost_grasshopper_cipher_do_mgm(EVP_CIPHER_CTX *ctx, unsigned char *out,
753 const unsigned char *in, size_t len)
756 (gost_mgm_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx);
757 int enc = EVP_CIPHER_CTX_encrypting(ctx);
759 /* If not set up, return error */
760 if (!mctx->key_set) {
761 GOSTerr(GOST_F_GOST_GRASSHOPPER_CIPHER_DO_MGM,
767 GOSTerr(GOST_F_GOST_GRASSHOPPER_CIPHER_DO_MGM,
773 if (gost_mgm128_aad(&mctx->mgm, in, len))
776 if (gost_mgm128_encrypt(&mctx->mgm, in, out, len))
779 if (gost_mgm128_decrypt(&mctx->mgm, in, out, len))
785 if (mctx->taglen < 0)
787 if (gost_mgm128_finish(&mctx->mgm,
788 EVP_CIPHER_CTX_buf_noconst(ctx),
794 gost_mgm128_tag(&mctx->mgm, EVP_CIPHER_CTX_buf_noconst(ctx), 16);
796 /* Don't reuse the IV */
804 * Fixed 128-bit IV implementation make shift regiser redundant.
806 static void gost_grasshopper_cnt_next(gost_grasshopper_cipher_ctx * ctx,
807 grasshopper_w128_t * iv,
808 grasshopper_w128_t * buf)
810 grasshopper_w128_t tmp;
811 memcpy(&tmp, iv, 16);
812 grasshopper_encrypt_block(&ctx->encrypt_round_keys, &tmp,
817 static int gost_grasshopper_cipher_do_ofb(EVP_CIPHER_CTX *ctx, unsigned char *out,
818 const unsigned char *in, size_t inl)
820 gost_grasshopper_cipher_ctx *c = (gost_grasshopper_cipher_ctx *)
821 EVP_CIPHER_CTX_get_cipher_data(ctx);
822 const unsigned char *in_ptr = in;
823 unsigned char *out_ptr = out;
824 unsigned char *buf = EVP_CIPHER_CTX_buf_noconst(ctx);
825 unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
826 int num = EVP_CIPHER_CTX_num(ctx);
830 /* process partial block if any */
832 for (j = (size_t)num, i = 0; j < GRASSHOPPER_BLOCK_SIZE && i < inl;
833 j++, i++, in_ptr++, out_ptr++) {
834 *out_ptr = buf[j] ^ (*in_ptr);
836 if (j == GRASSHOPPER_BLOCK_SIZE) {
837 EVP_CIPHER_CTX_set_num(ctx, 0);
839 EVP_CIPHER_CTX_set_num(ctx, (int)j);
844 for (; i + GRASSHOPPER_BLOCK_SIZE <
846 i += GRASSHOPPER_BLOCK_SIZE, in_ptr +=
847 GRASSHOPPER_BLOCK_SIZE, out_ptr += GRASSHOPPER_BLOCK_SIZE) {
849 * block cipher current iv
852 gost_grasshopper_cnt_next(c, (grasshopper_w128_t *) iv,
853 (grasshopper_w128_t *) buf);
856 * xor next block of input text with it and output it
861 for (j = 0; j < GRASSHOPPER_BLOCK_SIZE; j++) {
862 out_ptr[j] = buf[j] ^ in_ptr[j];
866 /* Process rest of buffer */
868 gost_grasshopper_cnt_next(c, (grasshopper_w128_t *) iv,
869 (grasshopper_w128_t *) buf);
870 for (j = 0; i < inl; j++, i++) {
871 out_ptr[j] = buf[j] ^ in_ptr[j];
873 EVP_CIPHER_CTX_set_num(ctx, (int)j);
875 EVP_CIPHER_CTX_set_num(ctx, 0);
881 static int gost_grasshopper_cipher_do_cfb(EVP_CIPHER_CTX *ctx, unsigned char *out,
882 const unsigned char *in, size_t inl)
884 gost_grasshopper_cipher_ctx *c =
885 (gost_grasshopper_cipher_ctx *) EVP_CIPHER_CTX_get_cipher_data(ctx);
886 const unsigned char *in_ptr = in;
887 unsigned char *out_ptr = out;
888 unsigned char *buf = EVP_CIPHER_CTX_buf_noconst(ctx);
889 unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
890 bool encrypting = (bool) EVP_CIPHER_CTX_encrypting(ctx);
891 int num = EVP_CIPHER_CTX_num(ctx);
895 /* process partial block if any */
897 for (j = (size_t)num, i = 0; j < GRASSHOPPER_BLOCK_SIZE && i < inl;
898 j++, i++, in_ptr++, out_ptr++) {
900 buf[j + GRASSHOPPER_BLOCK_SIZE] = *in_ptr;
902 *out_ptr = buf[j] ^ (*in_ptr);
904 buf[j + GRASSHOPPER_BLOCK_SIZE] = *out_ptr;
907 if (j == GRASSHOPPER_BLOCK_SIZE) {
908 memcpy(iv, buf + GRASSHOPPER_BLOCK_SIZE, GRASSHOPPER_BLOCK_SIZE);
909 EVP_CIPHER_CTX_set_num(ctx, 0);
911 EVP_CIPHER_CTX_set_num(ctx, (int)j);
916 for (; i + GRASSHOPPER_BLOCK_SIZE <
918 i += GRASSHOPPER_BLOCK_SIZE, in_ptr +=
919 GRASSHOPPER_BLOCK_SIZE, out_ptr += GRASSHOPPER_BLOCK_SIZE) {
921 * block cipher current iv
923 grasshopper_encrypt_block(&c->encrypt_round_keys,
924 (grasshopper_w128_t *) iv,
925 (grasshopper_w128_t *) buf, &c->buffer);
927 * xor next block of input text with it and output it
933 memcpy(iv, in_ptr, GRASSHOPPER_BLOCK_SIZE);
935 for (j = 0; j < GRASSHOPPER_BLOCK_SIZE; j++) {
936 out_ptr[j] = buf[j] ^ in_ptr[j];
939 /* Next iv is next block of cipher text */
941 memcpy(iv, out_ptr, GRASSHOPPER_BLOCK_SIZE);
945 /* Process rest of buffer */
947 grasshopper_encrypt_block(&c->encrypt_round_keys,
948 (grasshopper_w128_t *) iv,
949 (grasshopper_w128_t *) buf, &c->buffer);
951 memcpy(buf + GRASSHOPPER_BLOCK_SIZE, in_ptr, inl - i);
953 for (j = 0; i < inl; j++, i++) {
954 out_ptr[j] = buf[j] ^ in_ptr[j];
956 EVP_CIPHER_CTX_set_num(ctx, (int)j);
958 memcpy(buf + GRASSHOPPER_BLOCK_SIZE, out_ptr, j);
961 EVP_CIPHER_CTX_set_num(ctx, 0);
967 static int gost_grasshopper_cipher_cleanup(EVP_CIPHER_CTX *ctx)
969 gost_grasshopper_cipher_ctx *c =
970 (gost_grasshopper_cipher_ctx *) EVP_CIPHER_CTX_get_cipher_data(ctx);
975 if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_CTR_MODE)
976 gost_grasshopper_cipher_destroy_ctr(c);
978 EVP_CIPHER_CTX_set_app_data(ctx, NULL);
983 static int gost_grasshopper_set_asn1_parameters(EVP_CIPHER_CTX *ctx, ASN1_TYPE *params)
985 if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_CTR_MODE) {
986 gost_grasshopper_cipher_ctx_ctr *ctr = EVP_CIPHER_CTX_get_cipher_data(ctx);
988 /* CMS implies 256kb section_size */
989 ctr->section_size = 256*1024;
991 return gost2015_set_asn1_params(params,
992 EVP_CIPHER_CTX_original_iv(ctx), 8, ctr->kdf_seed);
997 static GRASSHOPPER_INLINE int
998 gost_grasshopper_get_asn1_parameters(EVP_CIPHER_CTX *ctx, ASN1_TYPE *params)
1000 if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_CTR_MODE) {
1001 gost_grasshopper_cipher_ctx_ctr *ctr = EVP_CIPHER_CTX_get_cipher_data(ctx);
1004 unsigned char iv[16];
1006 if (gost2015_get_asn1_params(params, 16, iv, 8, ctr->kdf_seed) == 0) {
1010 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, iv_len);
1011 memcpy((unsigned char *)EVP_CIPHER_CTX_original_iv(ctx), iv, iv_len);
1013 /* CMS implies 256kb section_size */
1014 ctr->section_size = 256*1024;
1020 static int gost_grasshopper_mgm_cleanup(EVP_CIPHER_CTX *c)
1022 gost_mgm_ctx *mctx =
1023 (gost_mgm_ctx *)EVP_CIPHER_CTX_get_cipher_data(c);
1026 gost_grasshopper_cipher_destroy(&mctx->ks.gh_ks);
1027 OPENSSL_cleanse(&mctx->mgm, sizeof(mctx->mgm));
1028 if (mctx->iv != EVP_CIPHER_CTX_iv_noconst(c))
1029 OPENSSL_free(mctx->iv);
1033 static int gost_grasshopper_mgm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1035 gost_mgm_ctx *mctx =
1036 (gost_mgm_ctx *)EVP_CIPHER_CTX_get_cipher_data(c);
1037 unsigned char *buf, *iv;
1042 ivlen = EVP_CIPHER_iv_length(EVP_CIPHER_CTX_cipher(c));
1043 iv = EVP_CIPHER_CTX_iv_noconst(c);
1046 mctx->ivlen = ivlen;
1051 case EVP_CTRL_GET_IVLEN:
1052 *(int *)ptr = mctx->ivlen;
1055 case EVP_CTRL_AEAD_SET_IVLEN:
1058 if ((arg > EVP_MAX_IV_LENGTH) && (arg > mctx->ivlen)) {
1059 // TODO: Allocate memory for IV or set error
1065 case EVP_CTRL_AEAD_SET_TAG:
1066 buf = EVP_CIPHER_CTX_buf_noconst(c);
1067 enc = EVP_CIPHER_CTX_encrypting(c);
1068 if (arg <= 0 || arg != 16 || enc) {
1069 GOSTerr(GOST_F_GOST_GRASSHOPPER_MGM_CTRL,
1070 GOST_R_INVALID_TAG_LENGTH);
1073 memcpy(buf, ptr, arg);
1077 case EVP_CTRL_AEAD_GET_TAG:
1078 buf = EVP_CIPHER_CTX_buf_noconst(c);
1079 enc = EVP_CIPHER_CTX_encrypting(c);
1080 if (arg <= 0 || arg > 16 || !enc || mctx->taglen < 0) {
1081 GOSTerr(GOST_F_GOST_GRASSHOPPER_MGM_CTRL,
1082 GOST_R_INVALID_TAG_LENGTH);
1085 memcpy(ptr, buf, arg);
1093 static int gost_grasshopper_cipher_ctl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
1096 case EVP_CTRL_RAND_KEY:{
1098 ((unsigned char *)ptr, EVP_CIPHER_CTX_key_length(ctx)) <= 0) {
1099 GOSTerr(GOST_F_GOST_GRASSHOPPER_CIPHER_CTL, GOST_R_RNG_ERROR);
1104 case EVP_CTRL_KEY_MESH:{
1105 gost_grasshopper_cipher_ctx_ctr *c =
1106 EVP_CIPHER_CTX_get_cipher_data(ctx);
1107 if ((c->c.type != GRASSHOPPER_CIPHER_CTRACPKM &&
1108 c->c.type != GRASSHOPPER_CIPHER_CTRACPKMOMAC)
1110 || (arg % GRASSHOPPER_BLOCK_SIZE))
1112 c->section_size = arg;
1115 case EVP_CTRL_TLSTREE:
1117 unsigned char newkey[32];
1118 int mode = EVP_CIPHER_CTX_mode(ctx);
1119 gost_grasshopper_cipher_ctx_ctr *ctr_ctx = NULL;
1120 gost_grasshopper_cipher_ctx *c = NULL;
1122 unsigned char adjusted_iv[16];
1123 unsigned char seq[8];
1124 int j, carry, decrement_arg;
1125 if (mode != EVP_CIPH_CTR_MODE)
1128 ctr_ctx = (gost_grasshopper_cipher_ctx_ctr *)
1129 EVP_CIPHER_CTX_get_cipher_data(ctx);
1133 * 'arg' parameter indicates what we should do with sequence value.
1135 * When function called, seq is incremented after MAC calculation.
1136 * In ETM mode, we use seq 'as is' in the ctrl-function (arg = 0)
1137 * Otherwise we have to decrease it in the implementation (arg = 1).
1139 memcpy(seq, ptr, 8);
1140 decrement_arg = arg;
1141 if (!decrement_sequence(seq, decrement_arg))
1143 GOSTerr(GOST_F_GOST_GRASSHOPPER_CIPHER_CTL, GOST_R_CTRL_CALL_FAILED);
1147 if (gost_tlstree(NID_grasshopper_cbc, c->master_key.k.b, newkey,
1148 (const unsigned char *)seq) > 0) {
1149 memset(adjusted_iv, 0, 16);
1150 memcpy(adjusted_iv, EVP_CIPHER_CTX_original_iv(ctx), 8);
1151 for(j=7,carry=0; j>=0; j--)
1153 int adj_byte = adjusted_iv[j]+seq[j]+carry;
1154 carry = (adj_byte > 255) ? 1 : 0;
1155 adjusted_iv[j] = adj_byte & 0xFF;
1157 EVP_CIPHER_CTX_set_num(ctx, 0);
1158 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), adjusted_iv, 16);
1160 gost_grasshopper_cipher_key(c, newkey);
1166 case EVP_CTRL_AEAD_GET_TAG:
1167 case EVP_CTRL_AEAD_SET_TAG:
1170 unsigned char *tag = ptr;
1172 gost_grasshopper_cipher_ctx *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
1173 if (c->c.type != GRASSHOPPER_CIPHER_MGM)
1176 if (taglen > KUZNYECHIK_MAC_MAX_SIZE) {
1177 CRYPTOCOMerr(CRYPTOCOM_F_GOST_GRASSHOPPER_CIPHER_CTL,
1178 CRYPTOCOM_R_INVALID_TAG_LENGTH);
1182 if (type == EVP_CTRL_AEAD_GET_TAG)
1183 memcpy(tag, c->final_tag, taglen);
1185 memcpy(c->final_tag, tag, taglen);
1190 case EVP_CTRL_PROCESS_UNPROTECTED:
1192 STACK_OF(X509_ATTRIBUTE) *x = ptr;
1193 gost_grasshopper_cipher_ctx_ctr *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
1195 if (c->c.type != GRASSHOPPER_CIPHER_CTRACPKMOMAC)
1198 return gost2015_process_unprotected_attributes(x, arg, KUZNYECHIK_MAC_MAX_SIZE, c->tag);
1200 case EVP_CTRL_COPY: {
1201 EVP_CIPHER_CTX *out = ptr;
1203 gost_grasshopper_cipher_ctx_ctr *out_cctx = EVP_CIPHER_CTX_get_cipher_data(out);
1204 gost_grasshopper_cipher_ctx_ctr *in_cctx = EVP_CIPHER_CTX_get_cipher_data(ctx);
1206 if (in_cctx->c.type != GRASSHOPPER_CIPHER_CTRACPKMOMAC)
1209 if (in_cctx->omac_ctx == out_cctx->omac_ctx) {
1210 out_cctx->omac_ctx = EVP_MD_CTX_new();
1211 if (out_cctx->omac_ctx == NULL) {
1212 GOSTerr(GOST_F_GOST_GRASSHOPPER_CIPHER_CTL, ERR_R_MALLOC_FAILURE);
1216 return EVP_MD_CTX_copy(out_cctx->omac_ctx, in_cctx->omac_ctx);
1219 GOSTerr(GOST_F_GOST_GRASSHOPPER_CIPHER_CTL,
1220 GOST_R_UNSUPPORTED_CIPHER_CTL_COMMAND);
1226 /* Called directly by CMAC_ACPKM_Init() */
1227 const EVP_CIPHER *cipher_gost_grasshopper_ctracpkm()
1229 return GOST_init_cipher(&grasshopper_ctr_acpkm_cipher);
1231 /* vim: set expandtab cinoptions=\:0,l1,t0,g0,(0 sw=4 : */
projects / openssl-gost / engine.git / blob