3 * This file is distributed under the same license as OpenSSL
6 #include "gost_grasshopper_cipher.h"
7 #include "gost_grasshopper_defines.h"
8 #include "gost_grasshopper_math.h"
9 #include "gost_grasshopper_core.h"
11 #include <openssl/evp.h>
12 #include <openssl/rand.h>
13 #include <openssl/err.h>
17 #include "e_gost_err.h"
19 enum GRASSHOPPER_CIPHER_TYPE {
20 GRASSHOPPER_CIPHER_ECB = 0,
21 GRASSHOPPER_CIPHER_CBC,
22 GRASSHOPPER_CIPHER_OFB,
23 GRASSHOPPER_CIPHER_CFB,
24 GRASSHOPPER_CIPHER_CTR,
25 GRASSHOPPER_CIPHER_CTRACPKM,
28 static EVP_CIPHER *gost_grasshopper_ciphers[6] = {
29 NULL, NULL, NULL, NULL, NULL, NULL,
32 static GRASSHOPPER_INLINE void
33 gost_grasshopper_cipher_destroy_ctr(gost_grasshopper_cipher_ctx * c);
35 struct GRASSHOPPER_CIPHER_PARAMS {
37 grasshopper_init_cipher_func init_cipher;
38 grasshopper_do_cipher_func do_cipher;
39 grasshopper_destroy_cipher_func destroy_cipher;
46 static struct GRASSHOPPER_CIPHER_PARAMS gost_cipher_params[6] = {
49 gost_grasshopper_cipher_init_ecb,
50 gost_grasshopper_cipher_do_ecb,
53 sizeof(gost_grasshopper_cipher_ctx),
59 gost_grasshopper_cipher_init_cbc,
60 gost_grasshopper_cipher_do_cbc,
63 sizeof(gost_grasshopper_cipher_ctx),
69 gost_grasshopper_cipher_init_ofb,
70 gost_grasshopper_cipher_do_ofb,
73 sizeof(gost_grasshopper_cipher_ctx),
79 gost_grasshopper_cipher_init_cfb,
80 gost_grasshopper_cipher_do_cfb,
83 sizeof(gost_grasshopper_cipher_ctx),
89 gost_grasshopper_cipher_init_ctr,
90 gost_grasshopper_cipher_do_ctr,
91 gost_grasshopper_cipher_destroy_ctr,
93 sizeof(gost_grasshopper_cipher_ctx_ctr),
94 /* IV size is set to match full block, to make it responsibility of
95 * user to assign correct values (IV || 0), and to make naive context
96 * copy possible (for software such as openssh) */
101 NID_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm,
102 gost_grasshopper_cipher_init_ctracpkm,
103 gost_grasshopper_cipher_do_ctracpkm,
104 gost_grasshopper_cipher_destroy_ctr,
106 sizeof(gost_grasshopper_cipher_ctx_ctr),
112 /* first 256 bit of D from draft-irtf-cfrg-re-keying-12 */
113 static const unsigned char ACPKM_D_2018[] = {
114 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, /* 64 bit */
115 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f, /* 128 bit */
116 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
117 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f, /* 256 bit */
120 static void acpkm_next(gost_grasshopper_cipher_ctx * c)
122 unsigned char newkey[GRASSHOPPER_KEY_SIZE];
123 const int J = GRASSHOPPER_KEY_SIZE / GRASSHOPPER_BLOCK_SIZE;
126 for (n = 0; n < J; n++) {
127 const unsigned char *D_n = &ACPKM_D_2018[n * GRASSHOPPER_BLOCK_SIZE];
129 grasshopper_encrypt_block(&c->encrypt_round_keys,
130 (grasshopper_w128_t *) D_n,
131 (grasshopper_w128_t *) & newkey[n *
132 GRASSHOPPER_BLOCK_SIZE],
135 gost_grasshopper_cipher_key(c, newkey);
138 /* Set 256 bit key into context */
139 GRASSHOPPER_INLINE void
140 gost_grasshopper_cipher_key(gost_grasshopper_cipher_ctx * c, const uint8_t *k)
143 for (i = 0; i < 2; i++) {
144 grasshopper_copy128(&c->key.k.k[i],
145 (const grasshopper_w128_t *)(k + i * 16));
148 grasshopper_set_encrypt_key(&c->encrypt_round_keys, &c->key);
149 grasshopper_set_decrypt_key(&c->decrypt_round_keys, &c->key);
152 /* Set master 256-bit key to be used in TLSTREE calculation into context */
153 GRASSHOPPER_INLINE void
154 gost_grasshopper_master_key(gost_grasshopper_cipher_ctx * c, const uint8_t *k)
157 for (i = 0; i < 2; i++) {
158 grasshopper_copy128(&c->master_key.k.k[i],
159 (const grasshopper_w128_t *)(k + i * 16));
163 /* Cleans up key from context */
164 GRASSHOPPER_INLINE void
165 gost_grasshopper_cipher_destroy(gost_grasshopper_cipher_ctx * c)
168 for (i = 0; i < 2; i++) {
169 grasshopper_zero128(&c->key.k.k[i]);
170 grasshopper_zero128(&c->master_key.k.k[i]);
172 for (i = 0; i < GRASSHOPPER_ROUND_KEYS_COUNT; i++) {
173 grasshopper_zero128(&c->encrypt_round_keys.k[i]);
175 for (i = 0; i < GRASSHOPPER_ROUND_KEYS_COUNT; i++) {
176 grasshopper_zero128(&c->decrypt_round_keys.k[i]);
178 grasshopper_zero128(&c->buffer);
181 static GRASSHOPPER_INLINE void
182 gost_grasshopper_cipher_destroy_ctr(gost_grasshopper_cipher_ctx * c)
184 gost_grasshopper_cipher_ctx_ctr *ctx =
185 (gost_grasshopper_cipher_ctx_ctr *) c;
187 grasshopper_zero128(&ctx->partial_buffer);
190 int gost_grasshopper_cipher_init(EVP_CIPHER_CTX *ctx,
191 const unsigned char *key,
192 const unsigned char *iv, int enc)
194 gost_grasshopper_cipher_ctx *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
196 if (EVP_CIPHER_CTX_get_app_data(ctx) == NULL) {
197 EVP_CIPHER_CTX_set_app_data(ctx, EVP_CIPHER_CTX_get_cipher_data(ctx));
201 gost_grasshopper_cipher_key(c, key);
202 gost_grasshopper_master_key(c, key);
206 memcpy((unsigned char *)EVP_CIPHER_CTX_original_iv(ctx), iv,
207 EVP_CIPHER_CTX_iv_length(ctx));
210 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx),
211 EVP_CIPHER_CTX_original_iv(ctx), EVP_CIPHER_CTX_iv_length(ctx));
213 grasshopper_zero128(&c->buffer);
218 GRASSHOPPER_INLINE int gost_grasshopper_cipher_init_ecb(EVP_CIPHER_CTX *ctx, const unsigned char
219 *key, const unsigned char
222 gost_grasshopper_cipher_ctx *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
223 c->type = GRASSHOPPER_CIPHER_ECB;
224 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
227 GRASSHOPPER_INLINE int gost_grasshopper_cipher_init_cbc(EVP_CIPHER_CTX *ctx, const unsigned char
228 *key, const unsigned char
231 gost_grasshopper_cipher_ctx *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
232 c->type = GRASSHOPPER_CIPHER_CBC;
233 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
236 GRASSHOPPER_INLINE int gost_grasshopper_cipher_init_ofb(EVP_CIPHER_CTX *ctx, const unsigned char
237 *key, const unsigned char
240 gost_grasshopper_cipher_ctx *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
241 c->type = GRASSHOPPER_CIPHER_OFB;
242 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
245 GRASSHOPPER_INLINE int gost_grasshopper_cipher_init_cfb(EVP_CIPHER_CTX *ctx, const unsigned char
246 *key, const unsigned char
249 gost_grasshopper_cipher_ctx *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
250 c->type = GRASSHOPPER_CIPHER_CFB;
251 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
254 GRASSHOPPER_INLINE int gost_grasshopper_cipher_init_ctr(EVP_CIPHER_CTX *ctx, const unsigned char
255 *key, const unsigned char
258 gost_grasshopper_cipher_ctx_ctr *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
260 c->c.type = GRASSHOPPER_CIPHER_CTR;
261 EVP_CIPHER_CTX_set_num(ctx, 0);
263 grasshopper_zero128(&c->partial_buffer);
265 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
268 GRASSHOPPER_INLINE int gost_grasshopper_cipher_init_ctracpkm(EVP_CIPHER_CTX
270 char *key, const unsigned
273 gost_grasshopper_cipher_ctx_ctr *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
275 /* NB: setting type makes EVP do_cipher callback useless */
276 c->c.type = GRASSHOPPER_CIPHER_CTRACPKM;
277 EVP_CIPHER_CTX_set_num(ctx, 0);
278 c->section_size = 4096;
280 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
283 GRASSHOPPER_INLINE int gost_grasshopper_cipher_do(EVP_CIPHER_CTX *ctx,
285 const unsigned char *in,
288 gost_grasshopper_cipher_ctx *c =
289 (gost_grasshopper_cipher_ctx *) EVP_CIPHER_CTX_get_cipher_data(ctx);
290 struct GRASSHOPPER_CIPHER_PARAMS *params = &gost_cipher_params[c->type];
292 return params->do_cipher(ctx, out, in, inl);
295 int gost_grasshopper_cipher_do_ecb(EVP_CIPHER_CTX *ctx, unsigned char *out,
296 const unsigned char *in, size_t inl)
298 gost_grasshopper_cipher_ctx *c =
299 (gost_grasshopper_cipher_ctx *) EVP_CIPHER_CTX_get_cipher_data(ctx);
300 bool encrypting = (bool) EVP_CIPHER_CTX_encrypting(ctx);
301 const unsigned char *current_in = in;
302 unsigned char *current_out = out;
303 size_t blocks = inl / GRASSHOPPER_BLOCK_SIZE;
306 for (i = 0; i < blocks;
307 i++, current_in += GRASSHOPPER_BLOCK_SIZE, current_out +=
308 GRASSHOPPER_BLOCK_SIZE) {
310 grasshopper_encrypt_block(&c->encrypt_round_keys,
311 (grasshopper_w128_t *) current_in,
312 (grasshopper_w128_t *) current_out,
315 grasshopper_decrypt_block(&c->decrypt_round_keys,
316 (grasshopper_w128_t *) current_in,
317 (grasshopper_w128_t *) current_out,
325 int gost_grasshopper_cipher_do_cbc(EVP_CIPHER_CTX *ctx, unsigned char *out,
326 const unsigned char *in, size_t inl)
328 gost_grasshopper_cipher_ctx *c =
329 (gost_grasshopper_cipher_ctx *) EVP_CIPHER_CTX_get_cipher_data(ctx);
330 unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
331 bool encrypting = (bool) EVP_CIPHER_CTX_encrypting(ctx);
332 const unsigned char *current_in = in;
333 unsigned char *current_out = out;
334 size_t blocks = inl / GRASSHOPPER_BLOCK_SIZE;
336 grasshopper_w128_t *currentBlock;
338 currentBlock = (grasshopper_w128_t *) iv;
340 for (i = 0; i < blocks;
341 i++, current_in += GRASSHOPPER_BLOCK_SIZE, current_out +=
342 GRASSHOPPER_BLOCK_SIZE) {
343 grasshopper_w128_t *currentInputBlock = (grasshopper_w128_t *) current_in;
344 grasshopper_w128_t *currentOutputBlock = (grasshopper_w128_t *) current_out;
346 grasshopper_append128(currentBlock, currentInputBlock);
347 grasshopper_encrypt_block(&c->encrypt_round_keys, currentBlock,
348 currentOutputBlock, &c->buffer);
349 grasshopper_copy128(currentBlock, currentOutputBlock);
351 grasshopper_w128_t tmp;
353 grasshopper_copy128(&tmp, currentInputBlock);
354 grasshopper_decrypt_block(&c->decrypt_round_keys,
355 currentInputBlock, currentOutputBlock,
357 grasshopper_append128(currentOutputBlock, currentBlock);
358 grasshopper_copy128(currentBlock, &tmp);
365 void inc_counter(unsigned char *counter, size_t counter_bytes)
367 unsigned int n = counter_bytes;
380 /* increment counter (128-bit int) by 1 */
381 static void ctr128_inc(unsigned char *counter)
383 inc_counter(counter, 16);
386 int gost_grasshopper_cipher_do_ctr(EVP_CIPHER_CTX *ctx, unsigned char *out,
387 const unsigned char *in, size_t inl)
389 gost_grasshopper_cipher_ctx_ctr *c = (gost_grasshopper_cipher_ctx_ctr *)
390 EVP_CIPHER_CTX_get_cipher_data(ctx);
391 unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
392 const unsigned char *current_in = in;
393 unsigned char *current_out = out;
394 grasshopper_w128_t *currentInputBlock;
395 grasshopper_w128_t *currentOutputBlock;
396 unsigned int n = EVP_CIPHER_CTX_num(ctx);
400 grasshopper_w128_t *iv_buffer;
401 grasshopper_w128_t tmp;
404 *(current_out++) = *(current_in++) ^ c->partial_buffer.b[n];
406 n = (n + 1) % GRASSHOPPER_BLOCK_SIZE;
408 EVP_CIPHER_CTX_set_num(ctx, n);
409 blocks = inl / GRASSHOPPER_BLOCK_SIZE;
411 iv_buffer = (grasshopper_w128_t *) iv;
414 for (i = 0; i < blocks; i++) {
415 currentInputBlock = (grasshopper_w128_t *) current_in;
416 currentOutputBlock = (grasshopper_w128_t *) current_out;
417 grasshopper_encrypt_block(&c->c.encrypt_round_keys, iv_buffer,
418 &c->partial_buffer, &c->c.buffer);
419 grasshopper_plus128(&tmp, &c->partial_buffer, currentInputBlock);
420 grasshopper_copy128(currentOutputBlock, &tmp);
421 ctr128_inc(iv_buffer->b);
422 current_in += GRASSHOPPER_BLOCK_SIZE;
423 current_out += GRASSHOPPER_BLOCK_SIZE;
427 lasted = inl - blocks * GRASSHOPPER_BLOCK_SIZE;
429 currentInputBlock = (grasshopper_w128_t *) current_in;
430 currentOutputBlock = (grasshopper_w128_t *) current_out;
431 grasshopper_encrypt_block(&c->c.encrypt_round_keys, iv_buffer,
432 &c->partial_buffer, &c->c.buffer);
433 for (i = 0; i < lasted; i++) {
434 currentOutputBlock->b[i] =
435 c->partial_buffer.b[i] ^ currentInputBlock->b[i];
437 EVP_CIPHER_CTX_set_num(ctx, i);
438 ctr128_inc(iv_buffer->b);
444 #define GRASSHOPPER_BLOCK_MASK (GRASSHOPPER_BLOCK_SIZE - 1)
445 static inline void apply_acpkm_grasshopper(gost_grasshopper_cipher_ctx_ctr *
446 ctx, unsigned int *num)
448 if (!ctx->section_size || (*num < ctx->section_size))
451 *num &= GRASSHOPPER_BLOCK_MASK;
454 /* If meshing is not configured via ctrl (setting section_size)
455 * this function works exactly like plain ctr */
456 int gost_grasshopper_cipher_do_ctracpkm(EVP_CIPHER_CTX *ctx,
458 const unsigned char *in, size_t inl)
460 gost_grasshopper_cipher_ctx_ctr *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
461 unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
462 unsigned int num = EVP_CIPHER_CTX_num(ctx);
463 size_t blocks, i, lasted;
464 grasshopper_w128_t tmp;
466 while ((num & GRASSHOPPER_BLOCK_MASK) && inl) {
467 *out++ = *in++ ^ c->partial_buffer.b[num & GRASSHOPPER_BLOCK_MASK];
471 blocks = inl / GRASSHOPPER_BLOCK_SIZE;
474 for (i = 0; i < blocks; i++) {
475 apply_acpkm_grasshopper(c, &num);
476 grasshopper_encrypt_block(&c->c.encrypt_round_keys,
477 (grasshopper_w128_t *) iv,
478 (grasshopper_w128_t *) & c->partial_buffer,
480 grasshopper_plus128(&tmp, &c->partial_buffer,
481 (grasshopper_w128_t *) in);
482 grasshopper_copy128((grasshopper_w128_t *) out, &tmp);
484 in += GRASSHOPPER_BLOCK_SIZE;
485 out += GRASSHOPPER_BLOCK_SIZE;
486 num += GRASSHOPPER_BLOCK_SIZE;
490 lasted = inl - blocks * GRASSHOPPER_BLOCK_SIZE;
492 apply_acpkm_grasshopper(c, &num);
493 grasshopper_encrypt_block(&c->c.encrypt_round_keys,
494 (grasshopper_w128_t *) iv,
495 &c->partial_buffer, &c->c.buffer);
496 for (i = 0; i < lasted; i++)
497 out[i] = c->partial_buffer.b[i] ^ in[i];
501 EVP_CIPHER_CTX_set_num(ctx, num);
507 * Fixed 128-bit IV implementation make shift regiser redundant.
509 static void gost_grasshopper_cnt_next(gost_grasshopper_cipher_ctx * ctx,
510 grasshopper_w128_t * iv,
511 grasshopper_w128_t * buf)
513 grasshopper_w128_t tmp;
514 memcpy(&tmp, iv, 16);
515 grasshopper_encrypt_block(&ctx->encrypt_round_keys, &tmp,
520 int gost_grasshopper_cipher_do_ofb(EVP_CIPHER_CTX *ctx, unsigned char *out,
521 const unsigned char *in, size_t inl)
523 gost_grasshopper_cipher_ctx *c = (gost_grasshopper_cipher_ctx *)
524 EVP_CIPHER_CTX_get_cipher_data(ctx);
525 const unsigned char *in_ptr = in;
526 unsigned char *out_ptr = out;
527 unsigned char *buf = EVP_CIPHER_CTX_buf_noconst(ctx);
528 unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
529 int num = EVP_CIPHER_CTX_num(ctx);
533 /* process partial block if any */
535 for (j = (size_t)num, i = 0; j < GRASSHOPPER_BLOCK_SIZE && i < inl;
536 j++, i++, in_ptr++, out_ptr++) {
537 *out_ptr = buf[j] ^ (*in_ptr);
539 if (j == GRASSHOPPER_BLOCK_SIZE) {
540 EVP_CIPHER_CTX_set_num(ctx, 0);
542 EVP_CIPHER_CTX_set_num(ctx, (int)j);
547 for (; i + GRASSHOPPER_BLOCK_SIZE <
549 i += GRASSHOPPER_BLOCK_SIZE, in_ptr +=
550 GRASSHOPPER_BLOCK_SIZE, out_ptr += GRASSHOPPER_BLOCK_SIZE) {
552 * block cipher current iv
555 gost_grasshopper_cnt_next(c, (grasshopper_w128_t *) iv,
556 (grasshopper_w128_t *) buf);
559 * xor next block of input text with it and output it
564 for (j = 0; j < GRASSHOPPER_BLOCK_SIZE; j++) {
565 out_ptr[j] = buf[j] ^ in_ptr[j];
569 /* Process rest of buffer */
571 gost_grasshopper_cnt_next(c, (grasshopper_w128_t *) iv,
572 (grasshopper_w128_t *) buf);
573 for (j = 0; i < inl; j++, i++) {
574 out_ptr[j] = buf[j] ^ in_ptr[j];
576 EVP_CIPHER_CTX_set_num(ctx, (int)j);
578 EVP_CIPHER_CTX_set_num(ctx, 0);
584 int gost_grasshopper_cipher_do_cfb(EVP_CIPHER_CTX *ctx, unsigned char *out,
585 const unsigned char *in, size_t inl)
587 gost_grasshopper_cipher_ctx *c =
588 (gost_grasshopper_cipher_ctx *) EVP_CIPHER_CTX_get_cipher_data(ctx);
589 const unsigned char *in_ptr = in;
590 unsigned char *out_ptr = out;
591 unsigned char *buf = EVP_CIPHER_CTX_buf_noconst(ctx);
592 unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
593 bool encrypting = (bool) EVP_CIPHER_CTX_encrypting(ctx);
594 int num = EVP_CIPHER_CTX_num(ctx);
598 /* process partial block if any */
600 for (j = (size_t)num, i = 0; j < GRASSHOPPER_BLOCK_SIZE && i < inl;
601 j++, i++, in_ptr++, out_ptr++) {
603 buf[j + GRASSHOPPER_BLOCK_SIZE] = *in_ptr;
605 *out_ptr = buf[j] ^ (*in_ptr);
607 buf[j + GRASSHOPPER_BLOCK_SIZE] = *out_ptr;
610 if (j == GRASSHOPPER_BLOCK_SIZE) {
611 memcpy(iv, buf + GRASSHOPPER_BLOCK_SIZE, GRASSHOPPER_BLOCK_SIZE);
612 EVP_CIPHER_CTX_set_num(ctx, 0);
614 EVP_CIPHER_CTX_set_num(ctx, (int)j);
619 for (; i + GRASSHOPPER_BLOCK_SIZE <
621 i += GRASSHOPPER_BLOCK_SIZE, in_ptr +=
622 GRASSHOPPER_BLOCK_SIZE, out_ptr += GRASSHOPPER_BLOCK_SIZE) {
624 * block cipher current iv
626 grasshopper_encrypt_block(&c->encrypt_round_keys,
627 (grasshopper_w128_t *) iv,
628 (grasshopper_w128_t *) buf, &c->buffer);
630 * xor next block of input text with it and output it
636 memcpy(iv, in_ptr, GRASSHOPPER_BLOCK_SIZE);
638 for (j = 0; j < GRASSHOPPER_BLOCK_SIZE; j++) {
639 out_ptr[j] = buf[j] ^ in_ptr[j];
642 /* Next iv is next block of cipher text */
644 memcpy(iv, out_ptr, GRASSHOPPER_BLOCK_SIZE);
648 /* Process rest of buffer */
650 grasshopper_encrypt_block(&c->encrypt_round_keys,
651 (grasshopper_w128_t *) iv,
652 (grasshopper_w128_t *) buf, &c->buffer);
654 memcpy(buf + GRASSHOPPER_BLOCK_SIZE, in_ptr, inl - i);
656 for (j = 0; i < inl; j++, i++) {
657 out_ptr[j] = buf[j] ^ in_ptr[j];
659 EVP_CIPHER_CTX_set_num(ctx, (int)j);
661 memcpy(buf + GRASSHOPPER_BLOCK_SIZE, out_ptr, j);
664 EVP_CIPHER_CTX_set_num(ctx, 0);
670 int gost_grasshopper_cipher_cleanup(EVP_CIPHER_CTX *ctx)
672 struct GRASSHOPPER_CIPHER_PARAMS *params;
673 gost_grasshopper_cipher_ctx *c =
674 (gost_grasshopper_cipher_ctx *) EVP_CIPHER_CTX_get_cipher_data(ctx);
679 params = &gost_cipher_params[c->type];
681 gost_grasshopper_cipher_destroy(c);
682 if (params->destroy_cipher != NULL) {
683 params->destroy_cipher(c);
686 EVP_CIPHER_CTX_set_app_data(ctx, NULL);
691 int gost_grasshopper_set_asn1_parameters(EVP_CIPHER_CTX *ctx, ASN1_TYPE *params)
694 unsigned char *buf = NULL;
695 ASN1_OCTET_STRING *os = ASN1_OCTET_STRING_new();
697 if (!os || !ASN1_OCTET_STRING_set(os, buf, len)) {
698 ASN1_OCTET_STRING_free(os);
700 GOSTerr(GOST_F_GOST_GRASSHOPPER_SET_ASN1_PARAMETERS,
701 ERR_R_MALLOC_FAILURE);
706 ASN1_TYPE_set(params, V_ASN1_SEQUENCE, os);
710 GRASSHOPPER_INLINE int gost_grasshopper_get_asn1_parameters(EVP_CIPHER_CTX
714 if (ASN1_TYPE_get(params) != V_ASN1_SEQUENCE) {
721 int gost_grasshopper_cipher_ctl(EVP_CIPHER_CTX *ctx, int type, int arg,
725 case EVP_CTRL_RAND_KEY:{
727 ((unsigned char *)ptr, EVP_CIPHER_CTX_key_length(ctx)) <= 0) {
728 GOSTerr(GOST_F_GOST_GRASSHOPPER_CIPHER_CTL, GOST_R_RNG_ERROR);
733 case EVP_CTRL_KEY_MESH:{
734 gost_grasshopper_cipher_ctx_ctr *c =
735 EVP_CIPHER_CTX_get_cipher_data(ctx);
736 if (c->c.type != GRASSHOPPER_CIPHER_CTRACPKM || !arg
737 || (arg % GRASSHOPPER_BLOCK_SIZE))
739 c->section_size = arg;
742 #ifdef EVP_CTRL_TLS1_2_TLSTREE
743 case EVP_CTRL_TLS1_2_TLSTREE:
745 unsigned char newkey[32];
746 int mode = EVP_CIPHER_CTX_mode(ctx);
747 static const unsigned char zeroseq[8];
748 gost_grasshopper_cipher_ctx_ctr *ctr_ctx = NULL;
749 gost_grasshopper_cipher_ctx *c = NULL;
751 unsigned char adjusted_iv[16];
752 unsigned char seq[8];
754 if (mode != EVP_CIPH_CTR_MODE)
757 ctr_ctx = (gost_grasshopper_cipher_ctx_ctr *)
758 EVP_CIPHER_CTX_get_cipher_data(ctx);
762 if (EVP_CIPHER_CTX_encrypting(ctx)) {
764 * OpenSSL increments seq after mac calculation.
765 * As we have Mac-Then-Encrypt, we need decrement it here on encryption
766 * to derive the key correctly.
768 if (memcmp(seq, zeroseq, 8) != 0)
772 if (seq[j] != 0) {seq[j]--; break;}
777 if (gost_tlstree(NID_grasshopper_cbc, c->master_key.k.b, newkey,
778 (const unsigned char *)seq) > 0) {
779 memset(adjusted_iv, 0, 16);
780 memcpy(adjusted_iv, EVP_CIPHER_CTX_original_iv(ctx), 8);
781 for(j=7,carry=0; j>=0; j--)
783 int adj_byte = adjusted_iv[j]+seq[j]+carry;
784 carry = (adj_byte > 255) ? 1 : 0;
785 adjusted_iv[j] = adj_byte & 0xFF;
787 EVP_CIPHER_CTX_set_num(ctx, 0);
788 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), adjusted_iv, 16);
790 gost_grasshopper_cipher_key(c, newkey);
797 GOSTerr(GOST_F_GOST_GRASSHOPPER_CIPHER_CTL,
798 GOST_R_UNSUPPORTED_CIPHER_CTL_COMMAND);
804 GRASSHOPPER_INLINE EVP_CIPHER *cipher_gost_grasshopper_create(int
808 return EVP_CIPHER_meth_new(cipher_type, block_size /* block_size */ ,
809 GRASSHOPPER_KEY_SIZE /* key_size */ );
812 const int cipher_gost_grasshopper_setup(EVP_CIPHER *cipher, uint8_t mode,
813 int iv_size, bool padding)
815 return EVP_CIPHER_meth_set_iv_length(cipher, iv_size)
816 && EVP_CIPHER_meth_set_flags(cipher,
817 (unsigned long)(mode |
819 EVP_CIPH_NO_PADDING :
825 EVP_CIPH_ALWAYS_CALL_INIT)
827 && EVP_CIPHER_meth_set_cleanup(cipher, gost_grasshopper_cipher_cleanup)
828 && EVP_CIPHER_meth_set_set_asn1_params(cipher,
829 gost_grasshopper_set_asn1_parameters)
830 && EVP_CIPHER_meth_set_get_asn1_params(cipher,
831 gost_grasshopper_get_asn1_parameters)
832 && EVP_CIPHER_meth_set_ctrl(cipher, gost_grasshopper_cipher_ctl)
833 && EVP_CIPHER_meth_set_do_cipher(cipher, gost_grasshopper_cipher_do);
836 const GRASSHOPPER_INLINE EVP_CIPHER *cipher_gost_grasshopper(uint8_t mode,
840 struct GRASSHOPPER_CIPHER_PARAMS *params;
842 cipher = &gost_grasshopper_ciphers[num];
844 if (*cipher == NULL) {
845 grasshopper_init_cipher_func init_cipher;
846 int nid, block_size, ctx_size, iv_size;
849 params = &gost_cipher_params[num];
852 init_cipher = params->init_cipher;
853 block_size = params->block_size;
854 ctx_size = params->ctx_size;
855 iv_size = params->iv_size;
856 padding = params->padding;
858 *cipher = cipher_gost_grasshopper_create(nid, block_size);
859 if (*cipher == NULL) {
863 if (!cipher_gost_grasshopper_setup(*cipher, mode, iv_size, padding)
864 || !EVP_CIPHER_meth_set_init(*cipher, init_cipher)
865 || !EVP_CIPHER_meth_set_impl_ctx_size(*cipher, ctx_size)) {
866 EVP_CIPHER_meth_free(*cipher);
874 const GRASSHOPPER_INLINE EVP_CIPHER *cipher_gost_grasshopper_ecb()
876 return cipher_gost_grasshopper(EVP_CIPH_ECB_MODE, GRASSHOPPER_CIPHER_ECB);
879 const GRASSHOPPER_INLINE EVP_CIPHER *cipher_gost_grasshopper_cbc()
881 return cipher_gost_grasshopper(EVP_CIPH_CBC_MODE, GRASSHOPPER_CIPHER_CBC);
884 const GRASSHOPPER_INLINE EVP_CIPHER *cipher_gost_grasshopper_ofb()
886 return cipher_gost_grasshopper(EVP_CIPH_OFB_MODE, GRASSHOPPER_CIPHER_OFB);
889 const GRASSHOPPER_INLINE EVP_CIPHER *cipher_gost_grasshopper_cfb()
891 return cipher_gost_grasshopper(EVP_CIPH_CFB_MODE, GRASSHOPPER_CIPHER_CFB);
894 const GRASSHOPPER_INLINE EVP_CIPHER *cipher_gost_grasshopper_ctr()
896 return cipher_gost_grasshopper(EVP_CIPH_CTR_MODE, GRASSHOPPER_CIPHER_CTR);
899 const GRASSHOPPER_INLINE EVP_CIPHER *cipher_gost_grasshopper_ctracpkm()
901 return cipher_gost_grasshopper(EVP_CIPH_CTR_MODE,
902 GRASSHOPPER_CIPHER_CTRACPKM);
905 void cipher_gost_grasshopper_destroy(void)
907 EVP_CIPHER_meth_free(gost_grasshopper_ciphers[GRASSHOPPER_CIPHER_ECB]);
908 gost_grasshopper_ciphers[GRASSHOPPER_CIPHER_ECB] = NULL;
909 EVP_CIPHER_meth_free(gost_grasshopper_ciphers[GRASSHOPPER_CIPHER_CBC]);
910 gost_grasshopper_ciphers[GRASSHOPPER_CIPHER_CBC] = NULL;
911 EVP_CIPHER_meth_free(gost_grasshopper_ciphers[GRASSHOPPER_CIPHER_OFB]);
912 gost_grasshopper_ciphers[GRASSHOPPER_CIPHER_OFB] = NULL;
913 EVP_CIPHER_meth_free(gost_grasshopper_ciphers[GRASSHOPPER_CIPHER_CFB]);
914 gost_grasshopper_ciphers[GRASSHOPPER_CIPHER_CFB] = NULL;
915 EVP_CIPHER_meth_free(gost_grasshopper_ciphers[GRASSHOPPER_CIPHER_CTR]);
916 gost_grasshopper_ciphers[GRASSHOPPER_CIPHER_CTR] = NULL;
917 EVP_CIPHER_meth_free(gost_grasshopper_ciphers[GRASSHOPPER_CIPHER_CTRACPKM]);
918 gost_grasshopper_ciphers[GRASSHOPPER_CIPHER_CTRACPKM] = NULL;
projects / openssl-gost / engine.git / blob