3 * This file is distributed under the same license as OpenSSL
6 #include "gost_grasshopper_cipher.h"
7 #include "gost_grasshopper_defines.h"
8 #include "gost_grasshopper_math.h"
9 #include "gost_grasshopper_core.h"
11 #include <openssl/evp.h>
12 #include <openssl/rand.h>
13 #include <openssl/err.h>
17 #include "e_gost_err.h"
19 enum GRASSHOPPER_CIPHER_TYPE {
20 GRASSHOPPER_CIPHER_ECB = 0,
21 GRASSHOPPER_CIPHER_CBC,
22 GRASSHOPPER_CIPHER_OFB,
23 GRASSHOPPER_CIPHER_CFB,
24 GRASSHOPPER_CIPHER_CTR,
25 GRASSHOPPER_CIPHER_CTRACPKM,
28 static EVP_CIPHER *gost_grasshopper_ciphers[6] = {
29 [GRASSHOPPER_CIPHER_ECB] = NULL,
30 [GRASSHOPPER_CIPHER_CBC] = NULL,
31 [GRASSHOPPER_CIPHER_OFB] = NULL,
32 [GRASSHOPPER_CIPHER_CFB] = NULL,
33 [GRASSHOPPER_CIPHER_CTR] = NULL,
34 [GRASSHOPPER_CIPHER_CTRACPKM] = NULL,
37 static GRASSHOPPER_INLINE void
38 gost_grasshopper_cipher_destroy_ofb(gost_grasshopper_cipher_ctx * c);
39 static GRASSHOPPER_INLINE void
40 gost_grasshopper_cipher_destroy_ctr(gost_grasshopper_cipher_ctx * c);
42 struct GRASSHOPPER_CIPHER_PARAMS {
44 grasshopper_init_cipher_func init_cipher;
45 grasshopper_do_cipher_func do_cipher;
46 grasshopper_destroy_cipher_func destroy_cipher;
53 static struct GRASSHOPPER_CIPHER_PARAMS gost_cipher_params[6] = {
54 [GRASSHOPPER_CIPHER_ECB] = {
56 gost_grasshopper_cipher_init_ecb,
57 gost_grasshopper_cipher_do_ecb,
60 sizeof(gost_grasshopper_cipher_ctx),
64 [GRASSHOPPER_CIPHER_CBC] = {
66 gost_grasshopper_cipher_init_cbc,
67 gost_grasshopper_cipher_do_cbc,
70 sizeof(gost_grasshopper_cipher_ctx),
74 [GRASSHOPPER_CIPHER_OFB] = {
76 gost_grasshopper_cipher_init_ofb,
77 gost_grasshopper_cipher_do_ofb,
78 gost_grasshopper_cipher_destroy_ofb,
80 sizeof(gost_grasshopper_cipher_ctx_ofb),
84 [GRASSHOPPER_CIPHER_CFB] = {
86 gost_grasshopper_cipher_init_cfb,
87 gost_grasshopper_cipher_do_cfb,
90 sizeof(gost_grasshopper_cipher_ctx),
94 [GRASSHOPPER_CIPHER_CTR] = {
96 gost_grasshopper_cipher_init_ctr,
97 gost_grasshopper_cipher_do_ctr,
98 gost_grasshopper_cipher_destroy_ctr,
100 sizeof(gost_grasshopper_cipher_ctx_ctr),
101 /* IV size is set to match full block, to make it responsibility of
102 * user to assign correct values (IV || 0), and to make naive context
103 * copy possible (for software such as openssh) */
107 [GRASSHOPPER_CIPHER_CTRACPKM] = {
108 NID_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm,
109 gost_grasshopper_cipher_init_ctracpkm,
110 gost_grasshopper_cipher_do_ctracpkm,
111 gost_grasshopper_cipher_destroy_ctr,
113 sizeof(gost_grasshopper_cipher_ctx_ctr),
119 /* first 256 bit of D from draft-irtf-cfrg-re-keying-12 */
120 static const unsigned char ACPKM_D_2018[] = {
121 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, /* 64 bit */
122 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f, /* 128 bit */
123 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
124 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f, /* 256 bit */
127 static void acpkm_next(gost_grasshopper_cipher_ctx * c)
129 unsigned char newkey[GRASSHOPPER_KEY_SIZE];
130 const int J = GRASSHOPPER_KEY_SIZE / GRASSHOPPER_BLOCK_SIZE;
133 for (n = 0; n < J; n++) {
134 const unsigned char *D_n = &ACPKM_D_2018[n * GRASSHOPPER_BLOCK_SIZE];
136 grasshopper_encrypt_block(&c->encrypt_round_keys,
137 (grasshopper_w128_t *) D_n,
138 (grasshopper_w128_t *) & newkey[n *
139 GRASSHOPPER_BLOCK_SIZE],
142 gost_grasshopper_cipher_key(c, newkey);
145 /* Set 256 bit key into context */
146 GRASSHOPPER_INLINE void
147 gost_grasshopper_cipher_key(gost_grasshopper_cipher_ctx * c, const uint8_t *k)
150 for (i = 0; i < 2; i++) {
151 grasshopper_copy128(&c->key.k.k[i],
152 (const grasshopper_w128_t *)(k + i * 16));
155 grasshopper_set_encrypt_key(&c->encrypt_round_keys, &c->key);
156 grasshopper_set_decrypt_key(&c->decrypt_round_keys, &c->key);
159 /* Set master 256-bit key to be used in TLSTREE calculation into context */
160 GRASSHOPPER_INLINE void
161 gost_grasshopper_master_key(gost_grasshopper_cipher_ctx * c, const uint8_t *k)
164 for (i = 0; i < 2; i++) {
165 grasshopper_copy128(&c->master_key.k.k[i],
166 (const grasshopper_w128_t *)(k + i * 16));
170 /* Cleans up key from context */
171 GRASSHOPPER_INLINE void
172 gost_grasshopper_cipher_destroy(gost_grasshopper_cipher_ctx * c)
175 for (i = 0; i < 2; i++) {
176 grasshopper_zero128(&c->key.k.k[i]);
177 grasshopper_zero128(&c->master_key.k.k[i]);
179 for (i = 0; i < GRASSHOPPER_ROUND_KEYS_COUNT; i++) {
180 grasshopper_zero128(&c->encrypt_round_keys.k[i]);
182 for (i = 0; i < GRASSHOPPER_ROUND_KEYS_COUNT; i++) {
183 grasshopper_zero128(&c->decrypt_round_keys.k[i]);
185 grasshopper_zero128(&c->buffer);
188 static GRASSHOPPER_INLINE void
189 gost_grasshopper_cipher_destroy_ofb(gost_grasshopper_cipher_ctx * c)
191 gost_grasshopper_cipher_ctx_ofb *ctx =
192 (gost_grasshopper_cipher_ctx_ofb *) c;
194 grasshopper_zero128(&ctx->buffer1);
197 static GRASSHOPPER_INLINE void
198 gost_grasshopper_cipher_destroy_ctr(gost_grasshopper_cipher_ctx * c)
200 gost_grasshopper_cipher_ctx_ctr *ctx =
201 (gost_grasshopper_cipher_ctx_ctr *) c;
203 grasshopper_zero128(&ctx->partial_buffer);
206 int gost_grasshopper_cipher_init(EVP_CIPHER_CTX *ctx,
207 const unsigned char *key,
208 const unsigned char *iv, int enc)
210 gost_grasshopper_cipher_ctx *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
212 if (EVP_CIPHER_CTX_get_app_data(ctx) == NULL) {
213 EVP_CIPHER_CTX_set_app_data(ctx, EVP_CIPHER_CTX_get_cipher_data(ctx));
217 gost_grasshopper_cipher_key(c, key);
218 gost_grasshopper_master_key(c, key);
222 memcpy((unsigned char *)EVP_CIPHER_CTX_original_iv(ctx), iv,
223 EVP_CIPHER_CTX_iv_length(ctx));
226 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx),
227 EVP_CIPHER_CTX_original_iv(ctx), EVP_CIPHER_CTX_iv_length(ctx));
229 grasshopper_zero128(&c->buffer);
234 GRASSHOPPER_INLINE int gost_grasshopper_cipher_init_ecb(EVP_CIPHER_CTX *ctx, const unsigned char
235 *key, const unsigned char
238 gost_grasshopper_cipher_ctx *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
239 c->type = GRASSHOPPER_CIPHER_ECB;
240 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
243 GRASSHOPPER_INLINE int gost_grasshopper_cipher_init_cbc(EVP_CIPHER_CTX *ctx, const unsigned char
244 *key, const unsigned char
247 gost_grasshopper_cipher_ctx *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
248 c->type = GRASSHOPPER_CIPHER_CBC;
249 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
252 GRASSHOPPER_INLINE int gost_grasshopper_cipher_init_ofb(EVP_CIPHER_CTX *ctx, const unsigned char
253 *key, const unsigned char
256 gost_grasshopper_cipher_ctx_ofb *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
258 c->c.type = GRASSHOPPER_CIPHER_OFB;
260 grasshopper_zero128(&c->buffer1);
262 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
265 GRASSHOPPER_INLINE int gost_grasshopper_cipher_init_cfb(EVP_CIPHER_CTX *ctx, const unsigned char
266 *key, const unsigned char
269 gost_grasshopper_cipher_ctx *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
270 c->type = GRASSHOPPER_CIPHER_CFB;
271 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
274 GRASSHOPPER_INLINE int gost_grasshopper_cipher_init_ctr(EVP_CIPHER_CTX *ctx, const unsigned char
275 *key, const unsigned char
278 gost_grasshopper_cipher_ctx_ctr *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
280 c->c.type = GRASSHOPPER_CIPHER_CTR;
281 EVP_CIPHER_CTX_set_num(ctx, 0);
283 grasshopper_zero128(&c->partial_buffer);
285 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
288 GRASSHOPPER_INLINE int gost_grasshopper_cipher_init_ctracpkm(EVP_CIPHER_CTX
290 char *key, const unsigned
293 gost_grasshopper_cipher_ctx_ctr *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
295 /* NB: setting type makes EVP do_cipher callback useless */
296 c->c.type = GRASSHOPPER_CIPHER_CTRACPKM;
297 EVP_CIPHER_CTX_set_num(ctx, 0);
298 c->section_size = 4096;
300 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
303 GRASSHOPPER_INLINE int gost_grasshopper_cipher_do(EVP_CIPHER_CTX *ctx,
305 const unsigned char *in,
308 gost_grasshopper_cipher_ctx *c =
309 (gost_grasshopper_cipher_ctx *) EVP_CIPHER_CTX_get_cipher_data(ctx);
310 struct GRASSHOPPER_CIPHER_PARAMS *params = &gost_cipher_params[c->type];
312 return params->do_cipher(ctx, out, in, inl);
315 int gost_grasshopper_cipher_do_ecb(EVP_CIPHER_CTX *ctx, unsigned char *out,
316 const unsigned char *in, size_t inl)
318 gost_grasshopper_cipher_ctx *c =
319 (gost_grasshopper_cipher_ctx *) EVP_CIPHER_CTX_get_cipher_data(ctx);
320 bool encrypting = (bool) EVP_CIPHER_CTX_encrypting(ctx);
321 const unsigned char *current_in = in;
322 unsigned char *current_out = out;
323 size_t blocks = inl / GRASSHOPPER_BLOCK_SIZE;
326 for (i = 0; i < blocks;
327 i++, current_in += GRASSHOPPER_BLOCK_SIZE, current_out +=
328 GRASSHOPPER_BLOCK_SIZE) {
330 grasshopper_encrypt_block(&c->encrypt_round_keys,
331 (grasshopper_w128_t *) current_in,
332 (grasshopper_w128_t *) current_out,
335 grasshopper_decrypt_block(&c->decrypt_round_keys,
336 (grasshopper_w128_t *) current_in,
337 (grasshopper_w128_t *) current_out,
345 int gost_grasshopper_cipher_do_cbc(EVP_CIPHER_CTX *ctx, unsigned char *out,
346 const unsigned char *in, size_t inl)
348 gost_grasshopper_cipher_ctx *c =
349 (gost_grasshopper_cipher_ctx *) EVP_CIPHER_CTX_get_cipher_data(ctx);
350 unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
351 bool encrypting = (bool) EVP_CIPHER_CTX_encrypting(ctx);
352 const unsigned char *current_in = in;
353 unsigned char *current_out = out;
354 grasshopper_w128_t *currentInputBlock;
355 grasshopper_w128_t *currentOutputBlock;
356 size_t blocks = inl / GRASSHOPPER_BLOCK_SIZE;
358 grasshopper_w128_t *currentBlock;
360 currentBlock = (grasshopper_w128_t *) iv;
362 for (i = 0; i < blocks;
363 i++, current_in += GRASSHOPPER_BLOCK_SIZE, current_out +=
364 GRASSHOPPER_BLOCK_SIZE) {
365 currentInputBlock = (grasshopper_w128_t *) current_in;
366 currentOutputBlock = (grasshopper_w128_t *) current_out;
368 grasshopper_append128(currentBlock, currentInputBlock);
369 grasshopper_encrypt_block(&c->encrypt_round_keys, currentBlock,
370 currentOutputBlock, &c->buffer);
371 grasshopper_copy128(currentBlock, currentOutputBlock);
373 grasshopper_w128_t tmp;
375 grasshopper_copy128(&tmp, currentInputBlock);
376 grasshopper_decrypt_block(&c->decrypt_round_keys,
377 currentInputBlock, currentOutputBlock,
379 grasshopper_append128(currentOutputBlock, currentBlock);
380 grasshopper_copy128(currentBlock, &tmp);
387 void inc_counter(unsigned char *counter, size_t counter_bytes)
390 unsigned int n = counter_bytes;
402 /* increment counter (128-bit int) by 1 */
403 static void ctr128_inc(unsigned char *counter)
405 inc_counter(counter, 16);
408 int gost_grasshopper_cipher_do_ctr(EVP_CIPHER_CTX *ctx, unsigned char *out,
409 const unsigned char *in, size_t inl)
411 gost_grasshopper_cipher_ctx_ctr *c = (gost_grasshopper_cipher_ctx_ctr *)
412 EVP_CIPHER_CTX_get_cipher_data(ctx);
413 unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
414 const unsigned char *current_in = in;
415 unsigned char *current_out = out;
416 grasshopper_w128_t *currentInputBlock;
417 grasshopper_w128_t *currentOutputBlock;
418 unsigned int n = EVP_CIPHER_CTX_num(ctx);
423 *(current_out++) = *(current_in++) ^ c->partial_buffer.b[n];
425 n = (n + 1) % GRASSHOPPER_BLOCK_SIZE;
427 EVP_CIPHER_CTX_set_num(ctx, n);
428 size_t blocks = inl / GRASSHOPPER_BLOCK_SIZE;
430 grasshopper_w128_t *iv_buffer = (grasshopper_w128_t *) iv;
431 grasshopper_w128_t tmp;
434 for (i = 0; i < blocks; i++) {
435 currentInputBlock = (grasshopper_w128_t *) current_in;
436 currentOutputBlock = (grasshopper_w128_t *) current_out;
437 grasshopper_encrypt_block(&c->c.encrypt_round_keys, iv_buffer,
438 &c->partial_buffer, &c->c.buffer);
439 grasshopper_plus128(&tmp, &c->partial_buffer, currentInputBlock);
440 grasshopper_copy128(currentOutputBlock, &tmp);
441 ctr128_inc(iv_buffer->b);
442 current_in += GRASSHOPPER_BLOCK_SIZE;
443 current_out += GRASSHOPPER_BLOCK_SIZE;
447 lasted = inl - blocks * GRASSHOPPER_BLOCK_SIZE;
449 currentInputBlock = (grasshopper_w128_t *) current_in;
450 currentOutputBlock = (grasshopper_w128_t *) current_out;
451 grasshopper_encrypt_block(&c->c.encrypt_round_keys, iv_buffer,
452 &c->partial_buffer, &c->c.buffer);
453 for (i = 0; i < lasted; i++) {
454 currentOutputBlock->b[i] =
455 c->partial_buffer.b[i] ^ currentInputBlock->b[i];
457 EVP_CIPHER_CTX_set_num(ctx, i);
458 ctr128_inc(iv_buffer->b);
464 #define GRASSHOPPER_BLOCK_MASK (GRASSHOPPER_BLOCK_SIZE - 1)
465 static inline void apply_acpkm_grasshopper(gost_grasshopper_cipher_ctx_ctr *
466 ctx, unsigned int *num)
468 if (!ctx->section_size || (*num < ctx->section_size))
471 *num &= GRASSHOPPER_BLOCK_MASK;
474 /* If meshing is not configured via ctrl (setting section_size)
475 * this function works exactly like plain ctr */
476 int gost_grasshopper_cipher_do_ctracpkm(EVP_CIPHER_CTX *ctx,
478 const unsigned char *in, size_t inl)
480 gost_grasshopper_cipher_ctx_ctr *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
481 unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
482 unsigned int num = EVP_CIPHER_CTX_num(ctx);
484 while ((num & GRASSHOPPER_BLOCK_MASK) && inl) {
485 *out++ = *in++ ^ c->partial_buffer.b[num & GRASSHOPPER_BLOCK_MASK];
489 size_t blocks = inl / GRASSHOPPER_BLOCK_SIZE;
491 grasshopper_w128_t tmp;
494 for (i = 0; i < blocks; i++) {
495 apply_acpkm_grasshopper(c, &num);
496 grasshopper_encrypt_block(&c->c.encrypt_round_keys,
497 (grasshopper_w128_t *) iv,
498 (grasshopper_w128_t *) & c->partial_buffer,
500 grasshopper_plus128(&tmp, &c->partial_buffer,
501 (grasshopper_w128_t *) in);
502 grasshopper_copy128((grasshopper_w128_t *) out, &tmp);
504 in += GRASSHOPPER_BLOCK_SIZE;
505 out += GRASSHOPPER_BLOCK_SIZE;
506 num += GRASSHOPPER_BLOCK_SIZE;
510 size_t lasted = inl - blocks * GRASSHOPPER_BLOCK_SIZE;
512 apply_acpkm_grasshopper(c, &num);
513 grasshopper_encrypt_block(&c->c.encrypt_round_keys,
514 (grasshopper_w128_t *) iv,
515 &c->partial_buffer, &c->c.buffer);
516 for (i = 0; i < lasted; i++)
517 out[i] = c->partial_buffer.b[i] ^ in[i];
521 EVP_CIPHER_CTX_set_num(ctx, num);
527 * Fixed 128-bit IV implementation make shift regiser redundant.
529 static void gost_grasshopper_cnt_next(gost_grasshopper_cipher_ctx_ofb * ctx,
530 grasshopper_w128_t * iv,
531 grasshopper_w128_t * buf)
533 memcpy(&ctx->buffer1, iv, 16);
534 grasshopper_encrypt_block(&ctx->c.encrypt_round_keys, &ctx->buffer1,
535 buf, &ctx->c.buffer);
539 int gost_grasshopper_cipher_do_ofb(EVP_CIPHER_CTX *ctx, unsigned char *out,
540 const unsigned char *in, size_t inl)
542 gost_grasshopper_cipher_ctx_ofb *c = (gost_grasshopper_cipher_ctx_ofb *)
543 EVP_CIPHER_CTX_get_cipher_data(ctx);
544 const unsigned char *in_ptr = in;
545 unsigned char *out_ptr = out;
546 unsigned char *buf = EVP_CIPHER_CTX_buf_noconst(ctx);
547 unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
548 int num = EVP_CIPHER_CTX_num(ctx);
552 /* process partial block if any */
554 for (j = (size_t)num, i = 0; j < GRASSHOPPER_BLOCK_SIZE && i < inl;
555 j++, i++, in_ptr++, out_ptr++) {
556 *out_ptr = buf[j] ^ (*in_ptr);
558 if (j == GRASSHOPPER_BLOCK_SIZE) {
559 EVP_CIPHER_CTX_set_num(ctx, 0);
561 EVP_CIPHER_CTX_set_num(ctx, (int)j);
566 for (; i + GRASSHOPPER_BLOCK_SIZE <
568 i += GRASSHOPPER_BLOCK_SIZE, in_ptr +=
569 GRASSHOPPER_BLOCK_SIZE, out_ptr += GRASSHOPPER_BLOCK_SIZE) {
571 * block cipher current iv
574 gost_grasshopper_cnt_next(c, (grasshopper_w128_t *) iv,
575 (grasshopper_w128_t *) buf);
578 * xor next block of input text with it and output it
583 for (j = 0; j < GRASSHOPPER_BLOCK_SIZE; j++) {
584 out_ptr[j] = buf[j] ^ in_ptr[j];
588 /* Process rest of buffer */
590 gost_grasshopper_cnt_next(c, (grasshopper_w128_t *) iv,
591 (grasshopper_w128_t *) buf);
592 for (j = 0; i < inl; j++, i++) {
593 out_ptr[j] = buf[j] ^ in_ptr[j];
595 EVP_CIPHER_CTX_set_num(ctx, (int)j);
597 EVP_CIPHER_CTX_set_num(ctx, 0);
603 int gost_grasshopper_cipher_do_cfb(EVP_CIPHER_CTX *ctx, unsigned char *out,
604 const unsigned char *in, size_t inl)
606 gost_grasshopper_cipher_ctx *c =
607 (gost_grasshopper_cipher_ctx *) EVP_CIPHER_CTX_get_cipher_data(ctx);
608 const unsigned char *in_ptr = in;
609 unsigned char *out_ptr = out;
610 unsigned char *buf = EVP_CIPHER_CTX_buf_noconst(ctx);
611 unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
612 bool encrypting = (bool) EVP_CIPHER_CTX_encrypting(ctx);
613 int num = EVP_CIPHER_CTX_num(ctx);
617 /* process partial block if any */
619 for (j = (size_t)num, i = 0; j < GRASSHOPPER_BLOCK_SIZE && i < inl;
620 j++, i++, in_ptr++, out_ptr++) {
622 buf[j + GRASSHOPPER_BLOCK_SIZE] = *in_ptr;
624 *out_ptr = buf[j] ^ (*in_ptr);
626 buf[j + GRASSHOPPER_BLOCK_SIZE] = *out_ptr;
629 if (j == GRASSHOPPER_BLOCK_SIZE) {
630 memcpy(iv, buf + GRASSHOPPER_BLOCK_SIZE, GRASSHOPPER_BLOCK_SIZE);
631 EVP_CIPHER_CTX_set_num(ctx, 0);
633 EVP_CIPHER_CTX_set_num(ctx, (int)j);
638 for (; i + GRASSHOPPER_BLOCK_SIZE <
640 i += GRASSHOPPER_BLOCK_SIZE, in_ptr +=
641 GRASSHOPPER_BLOCK_SIZE, out_ptr += GRASSHOPPER_BLOCK_SIZE) {
643 * block cipher current iv
645 grasshopper_encrypt_block(&c->encrypt_round_keys,
646 (grasshopper_w128_t *) iv,
647 (grasshopper_w128_t *) buf, &c->buffer);
649 * xor next block of input text with it and output it
655 memcpy(iv, in_ptr, GRASSHOPPER_BLOCK_SIZE);
657 for (j = 0; j < GRASSHOPPER_BLOCK_SIZE; j++) {
658 out_ptr[j] = buf[j] ^ in_ptr[j];
661 /* Next iv is next block of cipher text */
663 memcpy(iv, out_ptr, GRASSHOPPER_BLOCK_SIZE);
667 /* Process rest of buffer */
669 grasshopper_encrypt_block(&c->encrypt_round_keys,
670 (grasshopper_w128_t *) iv,
671 (grasshopper_w128_t *) buf, &c->buffer);
673 memcpy(buf + GRASSHOPPER_BLOCK_SIZE, in_ptr, inl - i);
675 for (j = 0; i < inl; j++, i++) {
676 out_ptr[j] = buf[j] ^ in_ptr[j];
678 EVP_CIPHER_CTX_set_num(ctx, (int)j);
680 memcpy(buf + GRASSHOPPER_BLOCK_SIZE, out_ptr, j);
683 EVP_CIPHER_CTX_set_num(ctx, 0);
689 int gost_grasshopper_cipher_cleanup(EVP_CIPHER_CTX *ctx)
691 gost_grasshopper_cipher_ctx *c =
692 (gost_grasshopper_cipher_ctx *) EVP_CIPHER_CTX_get_cipher_data(ctx);
697 struct GRASSHOPPER_CIPHER_PARAMS *params = &gost_cipher_params[c->type];
699 gost_grasshopper_cipher_destroy(c);
700 if (params->destroy_cipher != NULL) {
701 params->destroy_cipher(c);
704 EVP_CIPHER_CTX_set_app_data(ctx, NULL);
709 int gost_grasshopper_set_asn1_parameters(EVP_CIPHER_CTX *ctx, ASN1_TYPE *params)
712 unsigned char *buf = NULL;
713 ASN1_OCTET_STRING *os = NULL;
715 os = ASN1_OCTET_STRING_new();
717 if (!os || !ASN1_OCTET_STRING_set(os, buf, len)) {
719 GOSTerr(GOST_F_GOST_GRASSHOPPER_SET_ASN1_PARAMETERS,
720 ERR_R_MALLOC_FAILURE);
725 ASN1_TYPE_set(params, V_ASN1_SEQUENCE, os);
729 GRASSHOPPER_INLINE int gost_grasshopper_get_asn1_parameters(EVP_CIPHER_CTX
735 if (ASN1_TYPE_get(params) != V_ASN1_SEQUENCE) {
742 int gost_grasshopper_cipher_ctl(EVP_CIPHER_CTX *ctx, int type, int arg,
746 case EVP_CTRL_RAND_KEY:{
748 ((unsigned char *)ptr, EVP_CIPHER_CTX_key_length(ctx)) <= 0) {
749 GOSTerr(GOST_F_GOST_GRASSHOPPER_CIPHER_CTL, GOST_R_RNG_ERROR);
754 case EVP_CTRL_KEY_MESH:{
755 gost_grasshopper_cipher_ctx_ctr *c =
756 EVP_CIPHER_CTX_get_cipher_data(ctx);
757 if (c->c.type != GRASSHOPPER_CIPHER_CTRACPKM || !arg
758 || (arg % GRASSHOPPER_BLOCK_SIZE))
760 c->section_size = arg;
763 #ifdef EVP_CTRL_TLS1_2_TLSTREE
764 case EVP_CTRL_TLS1_2_TLSTREE:
766 unsigned char newkey[32];
767 int mode = EVP_CIPHER_CTX_mode(ctx);
768 static const unsigned char zeroseq[8];
769 gost_grasshopper_cipher_ctx_ctr *ctr_ctx = NULL;
770 gost_grasshopper_cipher_ctx *c = NULL;
772 unsigned char adjusted_iv[16];
773 unsigned char seq[8];
775 if (mode != EVP_CIPH_CTR_MODE)
778 ctr_ctx = (gost_grasshopper_cipher_ctx_ctr *)
779 EVP_CIPHER_CTX_get_cipher_data(ctx);
783 if (EVP_CIPHER_CTX_encrypting(ctx)) {
785 * OpenSSL increments seq after mac calculation.
786 * As we have Mac-Then-Encrypt, we need decrement it here on encryption
787 * to derive the key correctly.
789 if (memcmp(seq, zeroseq, 8) != 0)
793 if (seq[j] != 0) {seq[j]--; break;}
798 if (gost_tlstree(NID_grasshopper_cbc, c->master_key.k.b, newkey,
799 (const unsigned char *)seq) > 0) {
800 memset(adjusted_iv, 0, 16);
801 memcpy(adjusted_iv, EVP_CIPHER_CTX_original_iv(ctx), 8);
804 int adj_byte, carry = 0;
805 adj_byte = adjusted_iv[j]+seq[j]+carry;
806 carry = (adj_byte > 255) ? 1 : 0;
807 adjusted_iv[j] = adj_byte & 0xFF;
809 EVP_CIPHER_CTX_set_num(ctx, 0);
810 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), adjusted_iv, 16);
812 gost_grasshopper_cipher_key(c, newkey);
819 GOSTerr(GOST_F_GOST_GRASSHOPPER_CIPHER_CTL,
820 GOST_R_UNSUPPORTED_CIPHER_CTL_COMMAND);
826 GRASSHOPPER_INLINE EVP_CIPHER *cipher_gost_grasshopper_create(int
830 return EVP_CIPHER_meth_new(cipher_type, block_size /* block_size */ ,
831 GRASSHOPPER_KEY_SIZE /* key_size */ );
834 const int cipher_gost_grasshopper_setup(EVP_CIPHER *cipher, uint8_t mode,
835 int iv_size, bool padding)
837 return EVP_CIPHER_meth_set_iv_length(cipher, iv_size)
838 && EVP_CIPHER_meth_set_flags(cipher,
839 (unsigned long)(mode |
841 EVP_CIPH_NO_PADDING :
847 EVP_CIPH_ALWAYS_CALL_INIT)
849 && EVP_CIPHER_meth_set_cleanup(cipher, gost_grasshopper_cipher_cleanup)
850 && EVP_CIPHER_meth_set_set_asn1_params(cipher,
851 gost_grasshopper_set_asn1_parameters)
852 && EVP_CIPHER_meth_set_get_asn1_params(cipher,
853 gost_grasshopper_get_asn1_parameters)
854 && EVP_CIPHER_meth_set_ctrl(cipher, gost_grasshopper_cipher_ctl)
855 && EVP_CIPHER_meth_set_do_cipher(cipher, gost_grasshopper_cipher_do);
858 const GRASSHOPPER_INLINE EVP_CIPHER *cipher_gost_grasshopper(uint8_t mode,
862 struct GRASSHOPPER_CIPHER_PARAMS *params;
864 cipher = &gost_grasshopper_ciphers[num];
866 if (*cipher == NULL) {
867 params = &gost_cipher_params[num];
869 int nid = params->nid;
870 grasshopper_init_cipher_func init_cipher = params->init_cipher;
871 int block_size = params->block_size;
872 int ctx_size = params->ctx_size;
873 int iv_size = params->iv_size;
874 bool padding = params->padding;
876 *cipher = cipher_gost_grasshopper_create(nid, block_size);
877 if (*cipher == NULL) {
881 if (!cipher_gost_grasshopper_setup(*cipher, mode, iv_size, padding)
882 || !EVP_CIPHER_meth_set_init(*cipher, init_cipher)
883 || !EVP_CIPHER_meth_set_impl_ctx_size(*cipher, ctx_size)) {
884 EVP_CIPHER_meth_free(*cipher);
892 const GRASSHOPPER_INLINE EVP_CIPHER *cipher_gost_grasshopper_ecb()
894 return cipher_gost_grasshopper(EVP_CIPH_ECB_MODE, GRASSHOPPER_CIPHER_ECB);
897 const GRASSHOPPER_INLINE EVP_CIPHER *cipher_gost_grasshopper_cbc()
899 return cipher_gost_grasshopper(EVP_CIPH_CBC_MODE, GRASSHOPPER_CIPHER_CBC);
902 const GRASSHOPPER_INLINE EVP_CIPHER *cipher_gost_grasshopper_ofb()
904 return cipher_gost_grasshopper(EVP_CIPH_OFB_MODE, GRASSHOPPER_CIPHER_OFB);
907 const GRASSHOPPER_INLINE EVP_CIPHER *cipher_gost_grasshopper_cfb()
909 return cipher_gost_grasshopper(EVP_CIPH_CFB_MODE, GRASSHOPPER_CIPHER_CFB);
912 const GRASSHOPPER_INLINE EVP_CIPHER *cipher_gost_grasshopper_ctr()
914 return cipher_gost_grasshopper(EVP_CIPH_CTR_MODE, GRASSHOPPER_CIPHER_CTR);
917 const GRASSHOPPER_INLINE EVP_CIPHER *cipher_gost_grasshopper_ctracpkm()
919 return cipher_gost_grasshopper(EVP_CIPH_CTR_MODE,
920 GRASSHOPPER_CIPHER_CTRACPKM);
923 void cipher_gost_grasshopper_destroy(void)
925 EVP_CIPHER_meth_free(gost_grasshopper_ciphers[GRASSHOPPER_CIPHER_ECB]);
926 gost_grasshopper_ciphers[GRASSHOPPER_CIPHER_ECB] = NULL;
927 EVP_CIPHER_meth_free(gost_grasshopper_ciphers[GRASSHOPPER_CIPHER_CBC]);
928 gost_grasshopper_ciphers[GRASSHOPPER_CIPHER_CBC] = NULL;
929 EVP_CIPHER_meth_free(gost_grasshopper_ciphers[GRASSHOPPER_CIPHER_OFB]);
930 gost_grasshopper_ciphers[GRASSHOPPER_CIPHER_OFB] = NULL;
931 EVP_CIPHER_meth_free(gost_grasshopper_ciphers[GRASSHOPPER_CIPHER_CFB]);
932 gost_grasshopper_ciphers[GRASSHOPPER_CIPHER_CFB] = NULL;
933 EVP_CIPHER_meth_free(gost_grasshopper_ciphers[GRASSHOPPER_CIPHER_CTR]);
934 gost_grasshopper_ciphers[GRASSHOPPER_CIPHER_CTR] = NULL;
935 EVP_CIPHER_meth_free(gost_grasshopper_ciphers[GRASSHOPPER_CIPHER_CTRACPKM]);
936 gost_grasshopper_ciphers[GRASSHOPPER_CIPHER_CTRACPKM] = NULL;
projects / openssl-gost / engine.git / blob