3 * Copyright (c) 2020 Vitaly Chikunov <vt@altlinux.org>
4 * This file is distributed under the same license as OpenSSL
7 #include "gost_grasshopper_cipher.h"
8 #include "gost_grasshopper_defines.h"
9 #include "gost_grasshopper_math.h"
10 #include "gost_grasshopper_core.h"
11 #include "gost_gost2015.h"
13 #include <openssl/evp.h>
14 #include <openssl/rand.h>
15 #include <openssl/err.h>
19 #include "e_gost_err.h"
21 enum GRASSHOPPER_CIPHER_TYPE {
22 GRASSHOPPER_CIPHER_ECB = 0,
23 GRASSHOPPER_CIPHER_CBC,
24 GRASSHOPPER_CIPHER_OFB,
25 GRASSHOPPER_CIPHER_CFB,
26 GRASSHOPPER_CIPHER_CTR,
27 GRASSHOPPER_CIPHER_CTRACPKM,
28 GRASSHOPPER_CIPHER_CTRACPKMOMAC,
31 static EVP_CIPHER *gost_grasshopper_ciphers[7] = {
32 NULL, NULL, NULL, NULL, NULL, NULL, NULL
35 static GRASSHOPPER_INLINE void
36 gost_grasshopper_cipher_destroy_ctr(gost_grasshopper_cipher_ctx * c);
38 struct GRASSHOPPER_CIPHER_PARAMS {
40 grasshopper_init_cipher_func init_cipher;
41 grasshopper_do_cipher_func do_cipher;
42 grasshopper_destroy_cipher_func destroy_cipher;
50 static GOST_cipher grasshopper_template_cipher = {
51 .block_size = GRASSHOPPER_BLOCK_SIZE,
52 .key_len = GRASSHOPPER_KEY_SIZE,
53 .flags = EVP_CIPH_RAND_KEY |
54 EVP_CIPH_ALWAYS_CALL_INIT,
55 .do_cipher = gost_grasshopper_cipher_do,
56 .cleanup = gost_grasshopper_cipher_cleanup,
57 .ctx_size = sizeof(gost_grasshopper_cipher_ctx),
58 .set_asn1_parameters = gost_grasshopper_set_asn1_parameters,
59 .get_asn1_parameters = gost_grasshopper_get_asn1_parameters,
60 .ctrl = gost_grasshopper_cipher_ctl,
63 GOST_cipher grasshopper_ecb_cipher = {
64 .nid = NID_grasshopper_ecb,
65 .template = &grasshopper_template_cipher,
66 .flags = EVP_CIPH_ECB_MODE,
67 .init = gost_grasshopper_cipher_init_ecb,
68 .do_cipher = gost_grasshopper_cipher_do_ecb,
71 GOST_cipher grasshopper_cbc_cipher = {
72 .nid = NID_grasshopper_cbc,
73 .template = &grasshopper_template_cipher,
75 .flags = EVP_CIPH_CBC_MODE |
77 .init = gost_grasshopper_cipher_init_cbc,
78 .do_cipher = gost_grasshopper_cipher_do_cbc,
81 GOST_cipher grasshopper_ofb_cipher = {
82 .nid = NID_grasshopper_ofb,
83 .template = &grasshopper_template_cipher,
86 .flags = EVP_CIPH_OFB_MODE |
89 .init = gost_grasshopper_cipher_init_ofb,
90 .do_cipher = gost_grasshopper_cipher_do_ofb,
93 GOST_cipher grasshopper_cfb_cipher = {
94 .nid = NID_grasshopper_cfb,
95 .template = &grasshopper_template_cipher,
98 .flags = EVP_CIPH_CFB_MODE |
101 .init = gost_grasshopper_cipher_init_cfb,
102 .do_cipher = gost_grasshopper_cipher_do_cfb,
105 GOST_cipher grasshopper_ctr_cipher = {
106 .nid = NID_grasshopper_ctr,
107 .template = &grasshopper_template_cipher,
110 .flags = EVP_CIPH_CTR_MODE |
111 EVP_CIPH_NO_PADDING |
113 .init = gost_grasshopper_cipher_init_ctr,
114 .do_cipher = gost_grasshopper_cipher_do_ctr,
115 .ctx_size = sizeof(gost_grasshopper_cipher_ctx_ctr),
118 GOST_cipher grasshopper_ctr_acpkm_cipher = {
119 .nid = NID_kuznyechik_ctr_acpkm,
120 .template = &grasshopper_template_cipher,
123 .flags = EVP_CIPH_CTR_MODE |
124 EVP_CIPH_NO_PADDING |
126 .init = gost_grasshopper_cipher_init_ctracpkm,
127 .do_cipher = gost_grasshopper_cipher_do_ctracpkm,
128 .ctx_size = sizeof(gost_grasshopper_cipher_ctx_ctr),
131 GOST_cipher grasshopper_ctr_acpkm_omac_cipher = {
132 .nid = NID_kuznyechik_ctr_acpkm_omac,
133 .template = &grasshopper_template_cipher,
136 .flags = EVP_CIPH_CTR_MODE |
137 EVP_CIPH_NO_PADDING |
139 EVP_CIPH_FLAG_CUSTOM_CIPHER |
140 EVP_CIPH_FLAG_CIPHER_WITH_MAC |
141 EVP_CIPH_CUSTOM_COPY,
142 .init = gost_grasshopper_cipher_init_ctracpkm_omac,
143 .do_cipher = gost_grasshopper_cipher_do_ctracpkm_omac,
144 .ctx_size = sizeof(gost_grasshopper_cipher_ctx_ctr),
147 static struct GRASSHOPPER_CIPHER_PARAMS gost_cipher_params[7] = {
150 gost_grasshopper_cipher_init_ecb,
151 gost_grasshopper_cipher_do_ecb,
154 sizeof(gost_grasshopper_cipher_ctx),
161 gost_grasshopper_cipher_init_cbc,
162 gost_grasshopper_cipher_do_cbc,
165 sizeof(gost_grasshopper_cipher_ctx),
172 gost_grasshopper_cipher_init_ofb,
173 gost_grasshopper_cipher_do_ofb,
176 sizeof(gost_grasshopper_cipher_ctx),
183 gost_grasshopper_cipher_init_cfb,
184 gost_grasshopper_cipher_do_cfb,
187 sizeof(gost_grasshopper_cipher_ctx),
194 gost_grasshopper_cipher_init_ctr,
195 gost_grasshopper_cipher_do_ctr,
196 gost_grasshopper_cipher_destroy_ctr,
198 sizeof(gost_grasshopper_cipher_ctx_ctr),
204 NID_kuznyechik_ctr_acpkm,
205 gost_grasshopper_cipher_init_ctracpkm,
206 gost_grasshopper_cipher_do_ctracpkm,
207 gost_grasshopper_cipher_destroy_ctr,
209 sizeof(gost_grasshopper_cipher_ctx_ctr),
215 NID_kuznyechik_ctr_acpkm_omac,
216 gost_grasshopper_cipher_init_ctracpkm_omac,
217 gost_grasshopper_cipher_do_ctracpkm_omac,
218 gost_grasshopper_cipher_destroy_ctr,
220 sizeof(gost_grasshopper_cipher_ctx_ctr),
223 EVP_CIPH_FLAG_CUSTOM_CIPHER|EVP_CIPH_FLAG_CIPHER_WITH_MAC|EVP_CIPH_CUSTOM_COPY
227 /* first 256 bit of D from draft-irtf-cfrg-re-keying-12 */
228 static const unsigned char ACPKM_D_2018[] = {
229 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, /* 64 bit */
230 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f, /* 128 bit */
231 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
232 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f, /* 256 bit */
235 static void acpkm_next(gost_grasshopper_cipher_ctx * c)
237 unsigned char newkey[GRASSHOPPER_KEY_SIZE];
238 const int J = GRASSHOPPER_KEY_SIZE / GRASSHOPPER_BLOCK_SIZE;
241 for (n = 0; n < J; n++) {
242 const unsigned char *D_n = &ACPKM_D_2018[n * GRASSHOPPER_BLOCK_SIZE];
244 grasshopper_encrypt_block(&c->encrypt_round_keys,
245 (grasshopper_w128_t *) D_n,
246 (grasshopper_w128_t *) & newkey[n *
247 GRASSHOPPER_BLOCK_SIZE],
250 gost_grasshopper_cipher_key(c, newkey);
253 /* Set 256 bit key into context */
254 GRASSHOPPER_INLINE void
255 gost_grasshopper_cipher_key(gost_grasshopper_cipher_ctx * c, const uint8_t *k)
258 for (i = 0; i < 2; i++) {
259 grasshopper_copy128(&c->key.k.k[i],
260 (const grasshopper_w128_t *)(k + i * 16));
263 grasshopper_set_encrypt_key(&c->encrypt_round_keys, &c->key);
264 grasshopper_set_decrypt_key(&c->decrypt_round_keys, &c->key);
267 /* Set master 256-bit key to be used in TLSTREE calculation into context */
268 GRASSHOPPER_INLINE void
269 gost_grasshopper_master_key(gost_grasshopper_cipher_ctx * c, const uint8_t *k)
272 for (i = 0; i < 2; i++) {
273 grasshopper_copy128(&c->master_key.k.k[i],
274 (const grasshopper_w128_t *)(k + i * 16));
278 /* Cleans up key from context */
279 GRASSHOPPER_INLINE void
280 gost_grasshopper_cipher_destroy(gost_grasshopper_cipher_ctx * c)
283 for (i = 0; i < 2; i++) {
284 grasshopper_zero128(&c->key.k.k[i]);
285 grasshopper_zero128(&c->master_key.k.k[i]);
287 for (i = 0; i < GRASSHOPPER_ROUND_KEYS_COUNT; i++) {
288 grasshopper_zero128(&c->encrypt_round_keys.k[i]);
290 for (i = 0; i < GRASSHOPPER_ROUND_KEYS_COUNT; i++) {
291 grasshopper_zero128(&c->decrypt_round_keys.k[i]);
293 grasshopper_zero128(&c->buffer);
296 static GRASSHOPPER_INLINE void
297 gost_grasshopper_cipher_destroy_ctr(gost_grasshopper_cipher_ctx * c)
299 gost_grasshopper_cipher_ctx_ctr *ctx =
300 (gost_grasshopper_cipher_ctx_ctr *) c;
303 EVP_MD_CTX_free(ctx->omac_ctx);
305 grasshopper_zero128(&ctx->partial_buffer);
308 int gost_grasshopper_cipher_init(EVP_CIPHER_CTX *ctx,
309 const unsigned char *key,
310 const unsigned char *iv, int enc)
312 gost_grasshopper_cipher_ctx *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
314 if (EVP_CIPHER_CTX_get_app_data(ctx) == NULL) {
315 EVP_CIPHER_CTX_set_app_data(ctx, EVP_CIPHER_CTX_get_cipher_data(ctx));
316 if (enc && c->type == GRASSHOPPER_CIPHER_CTRACPKM) {
317 gost_grasshopper_cipher_ctx_ctr *ctr = EVP_CIPHER_CTX_get_cipher_data(ctx);
318 if (init_zero_kdf_seed(ctr->kdf_seed) == 0)
324 gost_grasshopper_cipher_key(c, key);
325 gost_grasshopper_master_key(c, key);
329 memcpy((unsigned char *)EVP_CIPHER_CTX_original_iv(ctx), iv,
330 EVP_CIPHER_CTX_iv_length(ctx));
333 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx),
334 EVP_CIPHER_CTX_original_iv(ctx), EVP_CIPHER_CTX_iv_length(ctx));
336 grasshopper_zero128(&c->buffer);
341 GRASSHOPPER_INLINE int gost_grasshopper_cipher_init_ecb(EVP_CIPHER_CTX *ctx, const unsigned char
342 *key, const unsigned char
345 gost_grasshopper_cipher_ctx *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
346 c->type = GRASSHOPPER_CIPHER_ECB;
347 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
350 GRASSHOPPER_INLINE int gost_grasshopper_cipher_init_cbc(EVP_CIPHER_CTX *ctx, const unsigned char
351 *key, const unsigned char
354 gost_grasshopper_cipher_ctx *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
355 c->type = GRASSHOPPER_CIPHER_CBC;
356 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
359 GRASSHOPPER_INLINE int gost_grasshopper_cipher_init_ofb(EVP_CIPHER_CTX *ctx, const unsigned char
360 *key, const unsigned char
363 gost_grasshopper_cipher_ctx *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
364 c->type = GRASSHOPPER_CIPHER_OFB;
365 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
368 GRASSHOPPER_INLINE int gost_grasshopper_cipher_init_cfb(EVP_CIPHER_CTX *ctx, const unsigned char
369 *key, const unsigned char
372 gost_grasshopper_cipher_ctx *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
373 c->type = GRASSHOPPER_CIPHER_CFB;
374 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
377 GRASSHOPPER_INLINE int gost_grasshopper_cipher_init_ctr(EVP_CIPHER_CTX *ctx, const unsigned char
378 *key, const unsigned char
381 gost_grasshopper_cipher_ctx_ctr *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
383 c->c.type = GRASSHOPPER_CIPHER_CTR;
384 EVP_CIPHER_CTX_set_num(ctx, 0);
386 grasshopper_zero128(&c->partial_buffer);
388 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
391 GRASSHOPPER_INLINE int gost_grasshopper_cipher_init_ctracpkm(EVP_CIPHER_CTX
393 char *key, const unsigned
396 gost_grasshopper_cipher_ctx_ctr *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
398 /* NB: setting type makes EVP do_cipher callback useless */
399 c->c.type = GRASSHOPPER_CIPHER_CTRACPKM;
400 EVP_CIPHER_CTX_set_num(ctx, 0);
401 c->section_size = 4096;
403 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
406 GRASSHOPPER_INLINE int gost_grasshopper_cipher_init_ctracpkm_omac(EVP_CIPHER_CTX
408 char *key, const unsigned
411 gost_grasshopper_cipher_ctx_ctr *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
413 /* NB: setting type makes EVP do_cipher callback useless */
414 c->c.type = GRASSHOPPER_CIPHER_CTRACPKMOMAC;
415 EVP_CIPHER_CTX_set_num(ctx, 0);
416 c->section_size = 4096;
419 unsigned char cipher_key[32];
420 c->omac_ctx = EVP_MD_CTX_new();
422 if (c->omac_ctx == NULL) {
423 GOSTerr(GOST_F_GOST_GRASSHOPPER_CIPHER_INIT_CTRACPKM_OMAC, ERR_R_MALLOC_FAILURE);
427 if (gost2015_acpkm_omac_init(NID_kuznyechik_mac, enc, key,
428 c->omac_ctx, cipher_key, c->kdf_seed) != 1) {
429 EVP_MD_CTX_free(c->omac_ctx);
434 return gost_grasshopper_cipher_init(ctx, cipher_key, iv, enc);
437 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
440 GRASSHOPPER_INLINE int gost_grasshopper_cipher_do(EVP_CIPHER_CTX *ctx,
442 const unsigned char *in,
445 gost_grasshopper_cipher_ctx *c =
446 (gost_grasshopper_cipher_ctx *) EVP_CIPHER_CTX_get_cipher_data(ctx);
447 struct GRASSHOPPER_CIPHER_PARAMS *params = &gost_cipher_params[c->type];
449 return params->do_cipher(ctx, out, in, inl);
452 int gost_grasshopper_cipher_do_ecb(EVP_CIPHER_CTX *ctx, unsigned char *out,
453 const unsigned char *in, size_t inl)
455 gost_grasshopper_cipher_ctx *c =
456 (gost_grasshopper_cipher_ctx *) EVP_CIPHER_CTX_get_cipher_data(ctx);
457 bool encrypting = (bool) EVP_CIPHER_CTX_encrypting(ctx);
458 const unsigned char *current_in = in;
459 unsigned char *current_out = out;
460 size_t blocks = inl / GRASSHOPPER_BLOCK_SIZE;
463 for (i = 0; i < blocks;
464 i++, current_in += GRASSHOPPER_BLOCK_SIZE, current_out +=
465 GRASSHOPPER_BLOCK_SIZE) {
467 grasshopper_encrypt_block(&c->encrypt_round_keys,
468 (grasshopper_w128_t *) current_in,
469 (grasshopper_w128_t *) current_out,
472 grasshopper_decrypt_block(&c->decrypt_round_keys,
473 (grasshopper_w128_t *) current_in,
474 (grasshopper_w128_t *) current_out,
482 int gost_grasshopper_cipher_do_cbc(EVP_CIPHER_CTX *ctx, unsigned char *out,
483 const unsigned char *in, size_t inl)
485 gost_grasshopper_cipher_ctx *c =
486 (gost_grasshopper_cipher_ctx *) EVP_CIPHER_CTX_get_cipher_data(ctx);
487 unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
488 bool encrypting = (bool) EVP_CIPHER_CTX_encrypting(ctx);
489 const unsigned char *current_in = in;
490 unsigned char *current_out = out;
491 size_t blocks = inl / GRASSHOPPER_BLOCK_SIZE;
493 grasshopper_w128_t *currentBlock;
495 currentBlock = (grasshopper_w128_t *) iv;
497 for (i = 0; i < blocks;
498 i++, current_in += GRASSHOPPER_BLOCK_SIZE, current_out +=
499 GRASSHOPPER_BLOCK_SIZE) {
500 grasshopper_w128_t *currentInputBlock = (grasshopper_w128_t *) current_in;
501 grasshopper_w128_t *currentOutputBlock = (grasshopper_w128_t *) current_out;
503 grasshopper_append128(currentBlock, currentInputBlock);
504 grasshopper_encrypt_block(&c->encrypt_round_keys, currentBlock,
505 currentOutputBlock, &c->buffer);
506 grasshopper_copy128(currentBlock, currentOutputBlock);
508 grasshopper_w128_t tmp;
510 grasshopper_copy128(&tmp, currentInputBlock);
511 grasshopper_decrypt_block(&c->decrypt_round_keys,
512 currentInputBlock, currentOutputBlock,
514 grasshopper_append128(currentOutputBlock, currentBlock);
515 grasshopper_copy128(currentBlock, &tmp);
522 void inc_counter(unsigned char *counter, size_t counter_bytes)
524 unsigned int n = counter_bytes;
537 /* increment counter (128-bit int) by 1 */
538 static void ctr128_inc(unsigned char *counter)
540 inc_counter(counter, 16);
543 int gost_grasshopper_cipher_do_ctr(EVP_CIPHER_CTX *ctx, unsigned char *out,
544 const unsigned char *in, size_t inl)
546 gost_grasshopper_cipher_ctx_ctr *c = (gost_grasshopper_cipher_ctx_ctr *)
547 EVP_CIPHER_CTX_get_cipher_data(ctx);
548 unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
549 const unsigned char *current_in = in;
550 unsigned char *current_out = out;
551 grasshopper_w128_t *currentInputBlock;
552 grasshopper_w128_t *currentOutputBlock;
553 unsigned int n = EVP_CIPHER_CTX_num(ctx);
557 grasshopper_w128_t *iv_buffer;
558 grasshopper_w128_t tmp;
560 while (n && lasted) {
561 *(current_out++) = *(current_in++) ^ c->partial_buffer.b[n];
563 n = (n + 1) % GRASSHOPPER_BLOCK_SIZE;
565 EVP_CIPHER_CTX_set_num(ctx, n);
566 blocks = lasted / GRASSHOPPER_BLOCK_SIZE;
568 iv_buffer = (grasshopper_w128_t *) iv;
571 for (i = 0; i < blocks; i++) {
572 currentInputBlock = (grasshopper_w128_t *) current_in;
573 currentOutputBlock = (grasshopper_w128_t *) current_out;
574 grasshopper_encrypt_block(&c->c.encrypt_round_keys, iv_buffer,
575 &c->partial_buffer, &c->c.buffer);
576 grasshopper_plus128(&tmp, &c->partial_buffer, currentInputBlock);
577 grasshopper_copy128(currentOutputBlock, &tmp);
578 ctr128_inc(iv_buffer->b);
579 current_in += GRASSHOPPER_BLOCK_SIZE;
580 current_out += GRASSHOPPER_BLOCK_SIZE;
581 lasted -= GRASSHOPPER_BLOCK_SIZE;
585 currentInputBlock = (grasshopper_w128_t *) current_in;
586 currentOutputBlock = (grasshopper_w128_t *) current_out;
587 grasshopper_encrypt_block(&c->c.encrypt_round_keys, iv_buffer,
588 &c->partial_buffer, &c->c.buffer);
589 for (i = 0; i < lasted; i++) {
590 currentOutputBlock->b[i] =
591 c->partial_buffer.b[i] ^ currentInputBlock->b[i];
593 EVP_CIPHER_CTX_set_num(ctx, i);
594 ctr128_inc(iv_buffer->b);
600 #define GRASSHOPPER_BLOCK_MASK (GRASSHOPPER_BLOCK_SIZE - 1)
601 static inline void apply_acpkm_grasshopper(gost_grasshopper_cipher_ctx_ctr *
602 ctx, unsigned int *num)
604 if (!ctx->section_size || (*num < ctx->section_size))
607 *num &= GRASSHOPPER_BLOCK_MASK;
610 /* If meshing is not configured via ctrl (setting section_size)
611 * this function works exactly like plain ctr */
612 int gost_grasshopper_cipher_do_ctracpkm(EVP_CIPHER_CTX *ctx,
614 const unsigned char *in, size_t inl)
616 gost_grasshopper_cipher_ctx_ctr *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
617 unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
618 unsigned int num = EVP_CIPHER_CTX_num(ctx);
619 size_t blocks, i, lasted = inl;
620 grasshopper_w128_t tmp;
622 while ((num & GRASSHOPPER_BLOCK_MASK) && lasted) {
623 *out++ = *in++ ^ c->partial_buffer.b[num & GRASSHOPPER_BLOCK_MASK];
627 blocks = lasted / GRASSHOPPER_BLOCK_SIZE;
630 for (i = 0; i < blocks; i++) {
631 apply_acpkm_grasshopper(c, &num);
632 grasshopper_encrypt_block(&c->c.encrypt_round_keys,
633 (grasshopper_w128_t *) iv,
634 (grasshopper_w128_t *) & c->partial_buffer,
636 grasshopper_plus128(&tmp, &c->partial_buffer,
637 (grasshopper_w128_t *) in);
638 grasshopper_copy128((grasshopper_w128_t *) out, &tmp);
640 in += GRASSHOPPER_BLOCK_SIZE;
641 out += GRASSHOPPER_BLOCK_SIZE;
642 num += GRASSHOPPER_BLOCK_SIZE;
643 lasted -= GRASSHOPPER_BLOCK_SIZE;
648 apply_acpkm_grasshopper(c, &num);
649 grasshopper_encrypt_block(&c->c.encrypt_round_keys,
650 (grasshopper_w128_t *) iv,
651 &c->partial_buffer, &c->c.buffer);
652 for (i = 0; i < lasted; i++)
653 out[i] = c->partial_buffer.b[i] ^ in[i];
657 EVP_CIPHER_CTX_set_num(ctx, num);
662 int gost_grasshopper_cipher_do_ctracpkm_omac(EVP_CIPHER_CTX *ctx,
664 const unsigned char *in, size_t inl)
667 gost_grasshopper_cipher_ctx_ctr *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
668 /* As in and out can be the same pointer, process unencrypted here */
669 if (EVP_CIPHER_CTX_encrypting(ctx))
670 EVP_DigestSignUpdate(c->omac_ctx, in, inl);
672 if (in == NULL && inl == 0) { /* Final call */
673 return gost2015_final_call(ctx, c->omac_ctx, KUZNYECHIK_MAC_MAX_SIZE, c->tag, gost_grasshopper_cipher_do_ctracpkm);
677 GOSTerr(GOST_F_GOST_GRASSHOPPER_CIPHER_DO_CTRACPKM_OMAC, ERR_R_EVP_LIB);
680 result = gost_grasshopper_cipher_do_ctracpkm(ctx, out, in, inl);
682 /* As in and out can be the same pointer, process decrypted here */
683 if (!EVP_CIPHER_CTX_encrypting(ctx))
684 EVP_DigestSignUpdate(c->omac_ctx, out, inl);
689 * Fixed 128-bit IV implementation make shift regiser redundant.
691 static void gost_grasshopper_cnt_next(gost_grasshopper_cipher_ctx * ctx,
692 grasshopper_w128_t * iv,
693 grasshopper_w128_t * buf)
695 grasshopper_w128_t tmp;
696 memcpy(&tmp, iv, 16);
697 grasshopper_encrypt_block(&ctx->encrypt_round_keys, &tmp,
702 int gost_grasshopper_cipher_do_ofb(EVP_CIPHER_CTX *ctx, unsigned char *out,
703 const unsigned char *in, size_t inl)
705 gost_grasshopper_cipher_ctx *c = (gost_grasshopper_cipher_ctx *)
706 EVP_CIPHER_CTX_get_cipher_data(ctx);
707 const unsigned char *in_ptr = in;
708 unsigned char *out_ptr = out;
709 unsigned char *buf = EVP_CIPHER_CTX_buf_noconst(ctx);
710 unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
711 int num = EVP_CIPHER_CTX_num(ctx);
715 /* process partial block if any */
717 for (j = (size_t)num, i = 0; j < GRASSHOPPER_BLOCK_SIZE && i < inl;
718 j++, i++, in_ptr++, out_ptr++) {
719 *out_ptr = buf[j] ^ (*in_ptr);
721 if (j == GRASSHOPPER_BLOCK_SIZE) {
722 EVP_CIPHER_CTX_set_num(ctx, 0);
724 EVP_CIPHER_CTX_set_num(ctx, (int)j);
729 for (; i + GRASSHOPPER_BLOCK_SIZE <
731 i += GRASSHOPPER_BLOCK_SIZE, in_ptr +=
732 GRASSHOPPER_BLOCK_SIZE, out_ptr += GRASSHOPPER_BLOCK_SIZE) {
734 * block cipher current iv
737 gost_grasshopper_cnt_next(c, (grasshopper_w128_t *) iv,
738 (grasshopper_w128_t *) buf);
741 * xor next block of input text with it and output it
746 for (j = 0; j < GRASSHOPPER_BLOCK_SIZE; j++) {
747 out_ptr[j] = buf[j] ^ in_ptr[j];
751 /* Process rest of buffer */
753 gost_grasshopper_cnt_next(c, (grasshopper_w128_t *) iv,
754 (grasshopper_w128_t *) buf);
755 for (j = 0; i < inl; j++, i++) {
756 out_ptr[j] = buf[j] ^ in_ptr[j];
758 EVP_CIPHER_CTX_set_num(ctx, (int)j);
760 EVP_CIPHER_CTX_set_num(ctx, 0);
766 int gost_grasshopper_cipher_do_cfb(EVP_CIPHER_CTX *ctx, unsigned char *out,
767 const unsigned char *in, size_t inl)
769 gost_grasshopper_cipher_ctx *c =
770 (gost_grasshopper_cipher_ctx *) EVP_CIPHER_CTX_get_cipher_data(ctx);
771 const unsigned char *in_ptr = in;
772 unsigned char *out_ptr = out;
773 unsigned char *buf = EVP_CIPHER_CTX_buf_noconst(ctx);
774 unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
775 bool encrypting = (bool) EVP_CIPHER_CTX_encrypting(ctx);
776 int num = EVP_CIPHER_CTX_num(ctx);
780 /* process partial block if any */
782 for (j = (size_t)num, i = 0; j < GRASSHOPPER_BLOCK_SIZE && i < inl;
783 j++, i++, in_ptr++, out_ptr++) {
785 buf[j + GRASSHOPPER_BLOCK_SIZE] = *in_ptr;
787 *out_ptr = buf[j] ^ (*in_ptr);
789 buf[j + GRASSHOPPER_BLOCK_SIZE] = *out_ptr;
792 if (j == GRASSHOPPER_BLOCK_SIZE) {
793 memcpy(iv, buf + GRASSHOPPER_BLOCK_SIZE, GRASSHOPPER_BLOCK_SIZE);
794 EVP_CIPHER_CTX_set_num(ctx, 0);
796 EVP_CIPHER_CTX_set_num(ctx, (int)j);
801 for (; i + GRASSHOPPER_BLOCK_SIZE <
803 i += GRASSHOPPER_BLOCK_SIZE, in_ptr +=
804 GRASSHOPPER_BLOCK_SIZE, out_ptr += GRASSHOPPER_BLOCK_SIZE) {
806 * block cipher current iv
808 grasshopper_encrypt_block(&c->encrypt_round_keys,
809 (grasshopper_w128_t *) iv,
810 (grasshopper_w128_t *) buf, &c->buffer);
812 * xor next block of input text with it and output it
818 memcpy(iv, in_ptr, GRASSHOPPER_BLOCK_SIZE);
820 for (j = 0; j < GRASSHOPPER_BLOCK_SIZE; j++) {
821 out_ptr[j] = buf[j] ^ in_ptr[j];
824 /* Next iv is next block of cipher text */
826 memcpy(iv, out_ptr, GRASSHOPPER_BLOCK_SIZE);
830 /* Process rest of buffer */
832 grasshopper_encrypt_block(&c->encrypt_round_keys,
833 (grasshopper_w128_t *) iv,
834 (grasshopper_w128_t *) buf, &c->buffer);
836 memcpy(buf + GRASSHOPPER_BLOCK_SIZE, in_ptr, inl - i);
838 for (j = 0; i < inl; j++, i++) {
839 out_ptr[j] = buf[j] ^ in_ptr[j];
841 EVP_CIPHER_CTX_set_num(ctx, (int)j);
843 memcpy(buf + GRASSHOPPER_BLOCK_SIZE, out_ptr, j);
846 EVP_CIPHER_CTX_set_num(ctx, 0);
852 int gost_grasshopper_cipher_cleanup(EVP_CIPHER_CTX *ctx)
854 struct GRASSHOPPER_CIPHER_PARAMS *params;
855 gost_grasshopper_cipher_ctx *c =
856 (gost_grasshopper_cipher_ctx *) EVP_CIPHER_CTX_get_cipher_data(ctx);
861 params = &gost_cipher_params[c->type];
863 gost_grasshopper_cipher_destroy(c);
864 if (params->destroy_cipher != NULL) {
865 params->destroy_cipher(c);
868 EVP_CIPHER_CTX_set_app_data(ctx, NULL);
873 int gost_grasshopper_set_asn1_parameters(EVP_CIPHER_CTX *ctx, ASN1_TYPE *params)
875 if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_CTR_MODE) {
876 gost_grasshopper_cipher_ctx_ctr *ctr = EVP_CIPHER_CTX_get_cipher_data(ctx);
878 /* CMS implies 256kb section_size */
879 ctr->section_size = 256*1024;
881 return gost2015_set_asn1_params(params, EVP_CIPHER_CTX_original_iv(ctx), 8,
887 GRASSHOPPER_INLINE int gost_grasshopper_get_asn1_parameters(EVP_CIPHER_CTX
891 if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_CTR_MODE) {
892 gost_grasshopper_cipher_ctx_ctr *ctr = EVP_CIPHER_CTX_get_cipher_data(ctx);
895 unsigned char iv[16];
897 if (gost2015_get_asn1_params(params, 16, iv, 8, ctr->kdf_seed) == 0) {
901 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, iv_len);
902 memcpy((unsigned char *)EVP_CIPHER_CTX_original_iv(ctx), iv, iv_len);
904 /* CMS implies 256kb section_size */
905 ctr->section_size = 256*1024;
911 int gost_grasshopper_cipher_ctl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
914 case EVP_CTRL_RAND_KEY:{
916 ((unsigned char *)ptr, EVP_CIPHER_CTX_key_length(ctx)) <= 0) {
917 GOSTerr(GOST_F_GOST_GRASSHOPPER_CIPHER_CTL, GOST_R_RNG_ERROR);
922 case EVP_CTRL_KEY_MESH:{
923 gost_grasshopper_cipher_ctx_ctr *c =
924 EVP_CIPHER_CTX_get_cipher_data(ctx);
925 if ((c->c.type != GRASSHOPPER_CIPHER_CTRACPKM &&
926 c->c.type != GRASSHOPPER_CIPHER_CTRACPKMOMAC)
928 || (arg % GRASSHOPPER_BLOCK_SIZE))
930 c->section_size = arg;
933 #ifdef EVP_CTRL_TLS1_2_TLSTREE
934 case EVP_CTRL_TLS1_2_TLSTREE:
936 unsigned char newkey[32];
937 int mode = EVP_CIPHER_CTX_mode(ctx);
938 static const unsigned char zeroseq[8];
939 gost_grasshopper_cipher_ctx_ctr *ctr_ctx = NULL;
940 gost_grasshopper_cipher_ctx *c = NULL;
942 unsigned char adjusted_iv[16];
943 unsigned char seq[8];
945 if (mode != EVP_CIPH_CTR_MODE)
948 ctr_ctx = (gost_grasshopper_cipher_ctx_ctr *)
949 EVP_CIPHER_CTX_get_cipher_data(ctx);
953 if (EVP_CIPHER_CTX_encrypting(ctx)) {
955 * OpenSSL increments seq after mac calculation.
956 * As we have Mac-Then-Encrypt, we need decrement it here on encryption
957 * to derive the key correctly.
959 if (memcmp(seq, zeroseq, 8) != 0)
963 if (seq[j] != 0) {seq[j]--; break;}
968 if (gost_tlstree(NID_grasshopper_cbc, c->master_key.k.b, newkey,
969 (const unsigned char *)seq) > 0) {
970 memset(adjusted_iv, 0, 16);
971 memcpy(adjusted_iv, EVP_CIPHER_CTX_original_iv(ctx), 8);
972 for(j=7,carry=0; j>=0; j--)
974 int adj_byte = adjusted_iv[j]+seq[j]+carry;
975 carry = (adj_byte > 255) ? 1 : 0;
976 adjusted_iv[j] = adj_byte & 0xFF;
978 EVP_CIPHER_CTX_set_num(ctx, 0);
979 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), adjusted_iv, 16);
981 gost_grasshopper_cipher_key(c, newkey);
988 case EVP_CTRL_AEAD_GET_TAG:
989 case EVP_CTRL_AEAD_SET_TAG:
992 unsigned char *tag = ptr;
994 gost_grasshopper_cipher_ctx *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
995 if (c->c.type != GRASSHOPPER_CIPHER_MGM)
998 if (taglen > KUZNYECHIK_MAC_MAX_SIZE) {
999 CRYPTOCOMerr(CRYPTOCOM_F_GOST_GRASSHOPPER_CIPHER_CTL,
1000 CRYPTOCOM_R_INVALID_TAG_LENGTH);
1004 if (type == EVP_CTRL_AEAD_GET_TAG)
1005 memcpy(tag, c->final_tag, taglen);
1007 memcpy(c->final_tag, tag, taglen);
1012 case EVP_CTRL_PROCESS_UNPROTECTED:
1014 STACK_OF(X509_ATTRIBUTE) *x = ptr;
1015 gost_grasshopper_cipher_ctx_ctr *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
1017 if (c->c.type != GRASSHOPPER_CIPHER_CTRACPKMOMAC)
1020 return gost2015_process_unprotected_attributes(x, arg, KUZNYECHIK_MAC_MAX_SIZE, c->tag);
1023 case EVP_CTRL_COPY: {
1024 EVP_CIPHER_CTX *out = ptr;
1026 gost_grasshopper_cipher_ctx_ctr *out_cctx = EVP_CIPHER_CTX_get_cipher_data(out);
1027 gost_grasshopper_cipher_ctx_ctr *in_cctx = EVP_CIPHER_CTX_get_cipher_data(ctx);
1029 if (in_cctx->c.type != GRASSHOPPER_CIPHER_CTRACPKMOMAC)
1032 if (in_cctx->omac_ctx == out_cctx->omac_ctx) {
1033 out_cctx->omac_ctx = EVP_MD_CTX_new();
1034 if (out_cctx->omac_ctx == NULL) {
1035 GOSTerr(GOST_F_GOST_GRASSHOPPER_CIPHER_CTL, ERR_R_MALLOC_FAILURE);
1039 return EVP_MD_CTX_copy(out_cctx->omac_ctx, in_cctx->omac_ctx);
1042 GOSTerr(GOST_F_GOST_GRASSHOPPER_CIPHER_CTL,
1043 GOST_R_UNSUPPORTED_CIPHER_CTL_COMMAND);
1049 GRASSHOPPER_INLINE EVP_CIPHER *cipher_gost_grasshopper_create(int
1053 return EVP_CIPHER_meth_new(cipher_type, block_size /* block_size */ ,
1054 GRASSHOPPER_KEY_SIZE /* key_size */ );
1057 const int cipher_gost_grasshopper_setup(EVP_CIPHER *cipher, uint8_t mode,
1058 int iv_size, bool padding, int extra_flags)
1060 unsigned long flags = (unsigned long)(mode
1061 | ((!padding) ? EVP_CIPH_NO_PADDING : 0)
1062 | ((iv_size > 0) ? EVP_CIPH_CUSTOM_IV : 0)
1063 | EVP_CIPH_RAND_KEY | EVP_CIPH_ALWAYS_CALL_INIT
1066 return EVP_CIPHER_meth_set_iv_length(cipher, iv_size)
1067 && EVP_CIPHER_meth_set_flags(cipher, flags)
1068 && EVP_CIPHER_meth_set_cleanup(cipher, gost_grasshopper_cipher_cleanup)
1069 && EVP_CIPHER_meth_set_set_asn1_params(cipher,
1070 gost_grasshopper_set_asn1_parameters)
1071 && EVP_CIPHER_meth_set_get_asn1_params(cipher,
1072 gost_grasshopper_get_asn1_parameters)
1073 && EVP_CIPHER_meth_set_ctrl(cipher, gost_grasshopper_cipher_ctl)
1074 && EVP_CIPHER_meth_set_do_cipher(cipher, gost_grasshopper_cipher_do);
1077 const GRASSHOPPER_INLINE EVP_CIPHER *cipher_gost_grasshopper(uint8_t mode,
1080 EVP_CIPHER **cipher;
1081 struct GRASSHOPPER_CIPHER_PARAMS *params;
1083 cipher = &gost_grasshopper_ciphers[num];
1085 if (*cipher == NULL) {
1086 grasshopper_init_cipher_func init_cipher;
1087 int nid, block_size, ctx_size, iv_size, extra_flags;
1090 params = &gost_cipher_params[num];
1093 init_cipher = params->init_cipher;
1094 block_size = params->block_size;
1095 ctx_size = params->ctx_size;
1096 iv_size = params->iv_size;
1097 padding = params->padding;
1098 extra_flags = params->extra_flags;
1100 *cipher = cipher_gost_grasshopper_create(nid, block_size);
1101 if (*cipher == NULL) {
1105 if (!cipher_gost_grasshopper_setup(*cipher, mode, iv_size, padding, extra_flags)
1106 || !EVP_CIPHER_meth_set_init(*cipher, init_cipher)
1107 || !EVP_CIPHER_meth_set_impl_ctx_size(*cipher, ctx_size)) {
1108 EVP_CIPHER_meth_free(*cipher);
1116 const GRASSHOPPER_INLINE EVP_CIPHER *cipher_gost_grasshopper_ecb()
1118 return cipher_gost_grasshopper(EVP_CIPH_ECB_MODE, GRASSHOPPER_CIPHER_ECB);
1121 const GRASSHOPPER_INLINE EVP_CIPHER *cipher_gost_grasshopper_cbc()
1123 return cipher_gost_grasshopper(EVP_CIPH_CBC_MODE, GRASSHOPPER_CIPHER_CBC);
1126 const GRASSHOPPER_INLINE EVP_CIPHER *cipher_gost_grasshopper_ofb()
1128 return cipher_gost_grasshopper(EVP_CIPH_OFB_MODE, GRASSHOPPER_CIPHER_OFB);
1131 const GRASSHOPPER_INLINE EVP_CIPHER *cipher_gost_grasshopper_cfb()
1133 return cipher_gost_grasshopper(EVP_CIPH_CFB_MODE, GRASSHOPPER_CIPHER_CFB);
1136 const GRASSHOPPER_INLINE EVP_CIPHER *cipher_gost_grasshopper_ctr()
1138 return cipher_gost_grasshopper(EVP_CIPH_CTR_MODE, GRASSHOPPER_CIPHER_CTR);
1141 const GRASSHOPPER_INLINE EVP_CIPHER *cipher_gost_grasshopper_ctracpkm()
1143 return cipher_gost_grasshopper(EVP_CIPH_CTR_MODE,
1144 GRASSHOPPER_CIPHER_CTRACPKM);
1147 const GRASSHOPPER_INLINE EVP_CIPHER *cipher_gost_grasshopper_ctracpkm_omac()
1149 return cipher_gost_grasshopper(EVP_CIPH_CTR_MODE,
1150 GRASSHOPPER_CIPHER_CTRACPKMOMAC);
1153 void cipher_gost_grasshopper_destroy(void)
1155 EVP_CIPHER_meth_free(gost_grasshopper_ciphers[GRASSHOPPER_CIPHER_ECB]);
1156 gost_grasshopper_ciphers[GRASSHOPPER_CIPHER_ECB] = NULL;
1157 EVP_CIPHER_meth_free(gost_grasshopper_ciphers[GRASSHOPPER_CIPHER_CBC]);
1158 gost_grasshopper_ciphers[GRASSHOPPER_CIPHER_CBC] = NULL;
1159 EVP_CIPHER_meth_free(gost_grasshopper_ciphers[GRASSHOPPER_CIPHER_OFB]);
1160 gost_grasshopper_ciphers[GRASSHOPPER_CIPHER_OFB] = NULL;
1161 EVP_CIPHER_meth_free(gost_grasshopper_ciphers[GRASSHOPPER_CIPHER_CFB]);
1162 gost_grasshopper_ciphers[GRASSHOPPER_CIPHER_CFB] = NULL;
1163 EVP_CIPHER_meth_free(gost_grasshopper_ciphers[GRASSHOPPER_CIPHER_CTR]);
1164 gost_grasshopper_ciphers[GRASSHOPPER_CIPHER_CTR] = NULL;
1165 EVP_CIPHER_meth_free(gost_grasshopper_ciphers[GRASSHOPPER_CIPHER_CTRACPKM]);
1166 gost_grasshopper_ciphers[GRASSHOPPER_CIPHER_CTRACPKM] = NULL;
1167 EVP_CIPHER_meth_free(gost_grasshopper_ciphers[GRASSHOPPER_CIPHER_CTRACPKMOMAC]);
1168 gost_grasshopper_ciphers[GRASSHOPPER_CIPHER_CTRACPKMOMAC] = NULL;
1170 /* vim: set expandtab cinoptions=\:0,l1,t0,g0,(0 sw=4 : */
projects / openssl-gost / engine.git / blob