3 * Copyright (c) 2020 Vitaly Chikunov <vt@altlinux.org>
4 * This file is distributed under the same license as OpenSSL
7 #include "gost_grasshopper_cipher.h"
8 #include "gost_grasshopper_defines.h"
9 #include "gost_grasshopper_math.h"
10 #include "gost_grasshopper_core.h"
11 #include "gost_gost2015.h"
13 #include <openssl/evp.h>
14 #include <openssl/rand.h>
15 #include <openssl/err.h>
19 #include "e_gost_err.h"
21 enum GRASSHOPPER_CIPHER_TYPE {
22 GRASSHOPPER_CIPHER_ECB = 0,
23 GRASSHOPPER_CIPHER_CBC,
24 GRASSHOPPER_CIPHER_OFB,
25 GRASSHOPPER_CIPHER_CFB,
26 GRASSHOPPER_CIPHER_CTR,
27 GRASSHOPPER_CIPHER_CTRACPKM,
28 GRASSHOPPER_CIPHER_CTRACPKMOMAC,
31 static GOST_cipher grasshopper_template_cipher = {
32 .block_size = GRASSHOPPER_BLOCK_SIZE,
33 .key_len = GRASSHOPPER_KEY_SIZE,
34 .flags = EVP_CIPH_RAND_KEY |
35 EVP_CIPH_ALWAYS_CALL_INIT,
36 .cleanup = gost_grasshopper_cipher_cleanup,
37 .ctx_size = sizeof(gost_grasshopper_cipher_ctx),
38 .set_asn1_parameters = gost_grasshopper_set_asn1_parameters,
39 .get_asn1_parameters = gost_grasshopper_get_asn1_parameters,
40 .ctrl = gost_grasshopper_cipher_ctl,
43 GOST_cipher grasshopper_ecb_cipher = {
44 .nid = NID_grasshopper_ecb,
45 .template = &grasshopper_template_cipher,
46 .flags = EVP_CIPH_ECB_MODE,
47 .init = gost_grasshopper_cipher_init_ecb,
48 .do_cipher = gost_grasshopper_cipher_do_ecb,
51 GOST_cipher grasshopper_cbc_cipher = {
52 .nid = NID_grasshopper_cbc,
53 .template = &grasshopper_template_cipher,
55 .flags = EVP_CIPH_CBC_MODE |
57 .init = gost_grasshopper_cipher_init_cbc,
58 .do_cipher = gost_grasshopper_cipher_do_cbc,
61 GOST_cipher grasshopper_ofb_cipher = {
62 .nid = NID_grasshopper_ofb,
63 .template = &grasshopper_template_cipher,
66 .flags = EVP_CIPH_OFB_MODE |
69 .init = gost_grasshopper_cipher_init_ofb,
70 .do_cipher = gost_grasshopper_cipher_do_ofb,
73 GOST_cipher grasshopper_cfb_cipher = {
74 .nid = NID_grasshopper_cfb,
75 .template = &grasshopper_template_cipher,
78 .flags = EVP_CIPH_CFB_MODE |
81 .init = gost_grasshopper_cipher_init_cfb,
82 .do_cipher = gost_grasshopper_cipher_do_cfb,
85 GOST_cipher grasshopper_ctr_cipher = {
86 .nid = NID_grasshopper_ctr,
87 .template = &grasshopper_template_cipher,
90 .flags = EVP_CIPH_CTR_MODE |
93 .init = gost_grasshopper_cipher_init_ctr,
94 .do_cipher = gost_grasshopper_cipher_do_ctr,
95 .ctx_size = sizeof(gost_grasshopper_cipher_ctx_ctr),
98 GOST_cipher grasshopper_ctr_acpkm_cipher = {
99 .nid = NID_kuznyechik_ctr_acpkm,
100 .template = &grasshopper_template_cipher,
103 .flags = EVP_CIPH_CTR_MODE |
104 EVP_CIPH_NO_PADDING |
106 .init = gost_grasshopper_cipher_init_ctracpkm,
107 .do_cipher = gost_grasshopper_cipher_do_ctracpkm,
108 .ctx_size = sizeof(gost_grasshopper_cipher_ctx_ctr),
111 GOST_cipher grasshopper_ctr_acpkm_omac_cipher = {
112 .nid = NID_kuznyechik_ctr_acpkm_omac,
113 .template = &grasshopper_template_cipher,
116 .flags = EVP_CIPH_CTR_MODE |
117 EVP_CIPH_NO_PADDING |
119 EVP_CIPH_FLAG_CUSTOM_CIPHER |
120 EVP_CIPH_FLAG_CIPHER_WITH_MAC |
121 EVP_CIPH_CUSTOM_COPY,
122 .init = gost_grasshopper_cipher_init_ctracpkm_omac,
123 .do_cipher = gost_grasshopper_cipher_do_ctracpkm_omac,
124 .ctx_size = sizeof(gost_grasshopper_cipher_ctx_ctr),
127 /* first 256 bit of D from draft-irtf-cfrg-re-keying-12 */
128 static const unsigned char ACPKM_D_2018[] = {
129 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, /* 64 bit */
130 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f, /* 128 bit */
131 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
132 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f, /* 256 bit */
135 static void acpkm_next(gost_grasshopper_cipher_ctx * c)
137 unsigned char newkey[GRASSHOPPER_KEY_SIZE];
138 const int J = GRASSHOPPER_KEY_SIZE / GRASSHOPPER_BLOCK_SIZE;
141 for (n = 0; n < J; n++) {
142 const unsigned char *D_n = &ACPKM_D_2018[n * GRASSHOPPER_BLOCK_SIZE];
144 grasshopper_encrypt_block(&c->encrypt_round_keys,
145 (grasshopper_w128_t *) D_n,
146 (grasshopper_w128_t *) & newkey[n *
147 GRASSHOPPER_BLOCK_SIZE],
150 gost_grasshopper_cipher_key(c, newkey);
153 /* Set 256 bit key into context */
154 GRASSHOPPER_INLINE void
155 gost_grasshopper_cipher_key(gost_grasshopper_cipher_ctx * c, const uint8_t *k)
158 for (i = 0; i < 2; i++) {
159 grasshopper_copy128(&c->key.k.k[i],
160 (const grasshopper_w128_t *)(k + i * 16));
163 grasshopper_set_encrypt_key(&c->encrypt_round_keys, &c->key);
164 grasshopper_set_decrypt_key(&c->decrypt_round_keys, &c->key);
167 /* Set master 256-bit key to be used in TLSTREE calculation into context */
168 GRASSHOPPER_INLINE void
169 gost_grasshopper_master_key(gost_grasshopper_cipher_ctx * c, const uint8_t *k)
172 for (i = 0; i < 2; i++) {
173 grasshopper_copy128(&c->master_key.k.k[i],
174 (const grasshopper_w128_t *)(k + i * 16));
178 /* Cleans up key from context */
179 GRASSHOPPER_INLINE void
180 gost_grasshopper_cipher_destroy(gost_grasshopper_cipher_ctx * c)
183 for (i = 0; i < 2; i++) {
184 grasshopper_zero128(&c->key.k.k[i]);
185 grasshopper_zero128(&c->master_key.k.k[i]);
187 for (i = 0; i < GRASSHOPPER_ROUND_KEYS_COUNT; i++) {
188 grasshopper_zero128(&c->encrypt_round_keys.k[i]);
190 for (i = 0; i < GRASSHOPPER_ROUND_KEYS_COUNT; i++) {
191 grasshopper_zero128(&c->decrypt_round_keys.k[i]);
193 grasshopper_zero128(&c->buffer);
196 static GRASSHOPPER_INLINE void
197 gost_grasshopper_cipher_destroy_ctr(gost_grasshopper_cipher_ctx * c)
199 gost_grasshopper_cipher_ctx_ctr *ctx =
200 (gost_grasshopper_cipher_ctx_ctr *) c;
203 EVP_MD_CTX_free(ctx->omac_ctx);
205 grasshopper_zero128(&ctx->partial_buffer);
208 int gost_grasshopper_cipher_init(EVP_CIPHER_CTX *ctx,
209 const unsigned char *key,
210 const unsigned char *iv, int enc)
212 gost_grasshopper_cipher_ctx *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
214 if (EVP_CIPHER_CTX_get_app_data(ctx) == NULL) {
215 EVP_CIPHER_CTX_set_app_data(ctx, EVP_CIPHER_CTX_get_cipher_data(ctx));
216 if (enc && c->type == GRASSHOPPER_CIPHER_CTRACPKM) {
217 gost_grasshopper_cipher_ctx_ctr *ctr = EVP_CIPHER_CTX_get_cipher_data(ctx);
218 if (init_zero_kdf_seed(ctr->kdf_seed) == 0)
224 gost_grasshopper_cipher_key(c, key);
225 gost_grasshopper_master_key(c, key);
229 memcpy((unsigned char *)EVP_CIPHER_CTX_original_iv(ctx), iv,
230 EVP_CIPHER_CTX_iv_length(ctx));
233 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx),
234 EVP_CIPHER_CTX_original_iv(ctx), EVP_CIPHER_CTX_iv_length(ctx));
236 grasshopper_zero128(&c->buffer);
241 GRASSHOPPER_INLINE int gost_grasshopper_cipher_init_ecb(EVP_CIPHER_CTX *ctx, const unsigned char
242 *key, const unsigned char
245 gost_grasshopper_cipher_ctx *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
246 c->type = GRASSHOPPER_CIPHER_ECB;
247 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
250 GRASSHOPPER_INLINE int gost_grasshopper_cipher_init_cbc(EVP_CIPHER_CTX *ctx, const unsigned char
251 *key, const unsigned char
254 gost_grasshopper_cipher_ctx *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
255 c->type = GRASSHOPPER_CIPHER_CBC;
256 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
259 GRASSHOPPER_INLINE int gost_grasshopper_cipher_init_ofb(EVP_CIPHER_CTX *ctx, const unsigned char
260 *key, const unsigned char
263 gost_grasshopper_cipher_ctx *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
264 c->type = GRASSHOPPER_CIPHER_OFB;
265 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
268 GRASSHOPPER_INLINE int gost_grasshopper_cipher_init_cfb(EVP_CIPHER_CTX *ctx, const unsigned char
269 *key, const unsigned char
272 gost_grasshopper_cipher_ctx *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
273 c->type = GRASSHOPPER_CIPHER_CFB;
274 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
277 GRASSHOPPER_INLINE int gost_grasshopper_cipher_init_ctr(EVP_CIPHER_CTX *ctx, const unsigned char
278 *key, const unsigned char
281 gost_grasshopper_cipher_ctx_ctr *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
283 c->c.type = GRASSHOPPER_CIPHER_CTR;
284 EVP_CIPHER_CTX_set_num(ctx, 0);
286 grasshopper_zero128(&c->partial_buffer);
288 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
291 GRASSHOPPER_INLINE int gost_grasshopper_cipher_init_ctracpkm(EVP_CIPHER_CTX
293 char *key, const unsigned
296 gost_grasshopper_cipher_ctx_ctr *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
298 /* NB: setting type makes EVP do_cipher callback useless */
299 c->c.type = GRASSHOPPER_CIPHER_CTRACPKM;
300 EVP_CIPHER_CTX_set_num(ctx, 0);
301 c->section_size = 4096;
303 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
306 GRASSHOPPER_INLINE int gost_grasshopper_cipher_init_ctracpkm_omac(EVP_CIPHER_CTX
308 char *key, const unsigned
311 gost_grasshopper_cipher_ctx_ctr *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
313 /* NB: setting type makes EVP do_cipher callback useless */
314 c->c.type = GRASSHOPPER_CIPHER_CTRACPKMOMAC;
315 EVP_CIPHER_CTX_set_num(ctx, 0);
316 c->section_size = 4096;
319 unsigned char cipher_key[32];
320 c->omac_ctx = EVP_MD_CTX_new();
322 if (c->omac_ctx == NULL) {
323 GOSTerr(GOST_F_GOST_GRASSHOPPER_CIPHER_INIT_CTRACPKM_OMAC, ERR_R_MALLOC_FAILURE);
327 if (gost2015_acpkm_omac_init(NID_kuznyechik_mac, enc, key,
328 c->omac_ctx, cipher_key, c->kdf_seed) != 1) {
329 EVP_MD_CTX_free(c->omac_ctx);
334 return gost_grasshopper_cipher_init(ctx, cipher_key, iv, enc);
337 return gost_grasshopper_cipher_init(ctx, key, iv, enc);
340 int gost_grasshopper_cipher_do_ecb(EVP_CIPHER_CTX *ctx, unsigned char *out,
341 const unsigned char *in, size_t inl)
343 gost_grasshopper_cipher_ctx *c =
344 (gost_grasshopper_cipher_ctx *) EVP_CIPHER_CTX_get_cipher_data(ctx);
345 bool encrypting = (bool) EVP_CIPHER_CTX_encrypting(ctx);
346 const unsigned char *current_in = in;
347 unsigned char *current_out = out;
348 size_t blocks = inl / GRASSHOPPER_BLOCK_SIZE;
351 for (i = 0; i < blocks;
352 i++, current_in += GRASSHOPPER_BLOCK_SIZE, current_out +=
353 GRASSHOPPER_BLOCK_SIZE) {
355 grasshopper_encrypt_block(&c->encrypt_round_keys,
356 (grasshopper_w128_t *) current_in,
357 (grasshopper_w128_t *) current_out,
360 grasshopper_decrypt_block(&c->decrypt_round_keys,
361 (grasshopper_w128_t *) current_in,
362 (grasshopper_w128_t *) current_out,
370 int gost_grasshopper_cipher_do_cbc(EVP_CIPHER_CTX *ctx, unsigned char *out,
371 const unsigned char *in, size_t inl)
373 gost_grasshopper_cipher_ctx *c =
374 (gost_grasshopper_cipher_ctx *) EVP_CIPHER_CTX_get_cipher_data(ctx);
375 unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
376 bool encrypting = (bool) EVP_CIPHER_CTX_encrypting(ctx);
377 const unsigned char *current_in = in;
378 unsigned char *current_out = out;
379 size_t blocks = inl / GRASSHOPPER_BLOCK_SIZE;
381 grasshopper_w128_t *currentBlock;
383 currentBlock = (grasshopper_w128_t *) iv;
385 for (i = 0; i < blocks;
386 i++, current_in += GRASSHOPPER_BLOCK_SIZE, current_out +=
387 GRASSHOPPER_BLOCK_SIZE) {
388 grasshopper_w128_t *currentInputBlock = (grasshopper_w128_t *) current_in;
389 grasshopper_w128_t *currentOutputBlock = (grasshopper_w128_t *) current_out;
391 grasshopper_append128(currentBlock, currentInputBlock);
392 grasshopper_encrypt_block(&c->encrypt_round_keys, currentBlock,
393 currentOutputBlock, &c->buffer);
394 grasshopper_copy128(currentBlock, currentOutputBlock);
396 grasshopper_w128_t tmp;
398 grasshopper_copy128(&tmp, currentInputBlock);
399 grasshopper_decrypt_block(&c->decrypt_round_keys,
400 currentInputBlock, currentOutputBlock,
402 grasshopper_append128(currentOutputBlock, currentBlock);
403 grasshopper_copy128(currentBlock, &tmp);
410 void inc_counter(unsigned char *counter, size_t counter_bytes)
412 unsigned int n = counter_bytes;
425 /* increment counter (128-bit int) by 1 */
426 static void ctr128_inc(unsigned char *counter)
428 inc_counter(counter, 16);
431 int gost_grasshopper_cipher_do_ctr(EVP_CIPHER_CTX *ctx, unsigned char *out,
432 const unsigned char *in, size_t inl)
434 gost_grasshopper_cipher_ctx_ctr *c = (gost_grasshopper_cipher_ctx_ctr *)
435 EVP_CIPHER_CTX_get_cipher_data(ctx);
436 unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
437 const unsigned char *current_in = in;
438 unsigned char *current_out = out;
439 grasshopper_w128_t *currentInputBlock;
440 grasshopper_w128_t *currentOutputBlock;
441 unsigned int n = EVP_CIPHER_CTX_num(ctx);
445 grasshopper_w128_t *iv_buffer;
446 grasshopper_w128_t tmp;
448 while (n && lasted) {
449 *(current_out++) = *(current_in++) ^ c->partial_buffer.b[n];
451 n = (n + 1) % GRASSHOPPER_BLOCK_SIZE;
453 EVP_CIPHER_CTX_set_num(ctx, n);
454 blocks = lasted / GRASSHOPPER_BLOCK_SIZE;
456 iv_buffer = (grasshopper_w128_t *) iv;
459 for (i = 0; i < blocks; i++) {
460 currentInputBlock = (grasshopper_w128_t *) current_in;
461 currentOutputBlock = (grasshopper_w128_t *) current_out;
462 grasshopper_encrypt_block(&c->c.encrypt_round_keys, iv_buffer,
463 &c->partial_buffer, &c->c.buffer);
464 grasshopper_plus128(&tmp, &c->partial_buffer, currentInputBlock);
465 grasshopper_copy128(currentOutputBlock, &tmp);
466 ctr128_inc(iv_buffer->b);
467 current_in += GRASSHOPPER_BLOCK_SIZE;
468 current_out += GRASSHOPPER_BLOCK_SIZE;
469 lasted -= GRASSHOPPER_BLOCK_SIZE;
473 currentInputBlock = (grasshopper_w128_t *) current_in;
474 currentOutputBlock = (grasshopper_w128_t *) current_out;
475 grasshopper_encrypt_block(&c->c.encrypt_round_keys, iv_buffer,
476 &c->partial_buffer, &c->c.buffer);
477 for (i = 0; i < lasted; i++) {
478 currentOutputBlock->b[i] =
479 c->partial_buffer.b[i] ^ currentInputBlock->b[i];
481 EVP_CIPHER_CTX_set_num(ctx, i);
482 ctr128_inc(iv_buffer->b);
488 #define GRASSHOPPER_BLOCK_MASK (GRASSHOPPER_BLOCK_SIZE - 1)
489 static inline void apply_acpkm_grasshopper(gost_grasshopper_cipher_ctx_ctr *
490 ctx, unsigned int *num)
492 if (!ctx->section_size || (*num < ctx->section_size))
495 *num &= GRASSHOPPER_BLOCK_MASK;
498 /* If meshing is not configured via ctrl (setting section_size)
499 * this function works exactly like plain ctr */
500 int gost_grasshopper_cipher_do_ctracpkm(EVP_CIPHER_CTX *ctx,
502 const unsigned char *in, size_t inl)
504 gost_grasshopper_cipher_ctx_ctr *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
505 unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
506 unsigned int num = EVP_CIPHER_CTX_num(ctx);
507 size_t blocks, i, lasted = inl;
508 grasshopper_w128_t tmp;
510 while ((num & GRASSHOPPER_BLOCK_MASK) && lasted) {
511 *out++ = *in++ ^ c->partial_buffer.b[num & GRASSHOPPER_BLOCK_MASK];
515 blocks = lasted / GRASSHOPPER_BLOCK_SIZE;
518 for (i = 0; i < blocks; i++) {
519 apply_acpkm_grasshopper(c, &num);
520 grasshopper_encrypt_block(&c->c.encrypt_round_keys,
521 (grasshopper_w128_t *) iv,
522 (grasshopper_w128_t *) & c->partial_buffer,
524 grasshopper_plus128(&tmp, &c->partial_buffer,
525 (grasshopper_w128_t *) in);
526 grasshopper_copy128((grasshopper_w128_t *) out, &tmp);
528 in += GRASSHOPPER_BLOCK_SIZE;
529 out += GRASSHOPPER_BLOCK_SIZE;
530 num += GRASSHOPPER_BLOCK_SIZE;
531 lasted -= GRASSHOPPER_BLOCK_SIZE;
536 apply_acpkm_grasshopper(c, &num);
537 grasshopper_encrypt_block(&c->c.encrypt_round_keys,
538 (grasshopper_w128_t *) iv,
539 &c->partial_buffer, &c->c.buffer);
540 for (i = 0; i < lasted; i++)
541 out[i] = c->partial_buffer.b[i] ^ in[i];
545 EVP_CIPHER_CTX_set_num(ctx, num);
550 int gost_grasshopper_cipher_do_ctracpkm_omac(EVP_CIPHER_CTX *ctx,
552 const unsigned char *in, size_t inl)
555 gost_grasshopper_cipher_ctx_ctr *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
556 /* As in and out can be the same pointer, process unencrypted here */
557 if (EVP_CIPHER_CTX_encrypting(ctx))
558 EVP_DigestSignUpdate(c->omac_ctx, in, inl);
560 if (in == NULL && inl == 0) { /* Final call */
561 return gost2015_final_call(ctx, c->omac_ctx, KUZNYECHIK_MAC_MAX_SIZE, c->tag, gost_grasshopper_cipher_do_ctracpkm);
565 GOSTerr(GOST_F_GOST_GRASSHOPPER_CIPHER_DO_CTRACPKM_OMAC, ERR_R_EVP_LIB);
568 result = gost_grasshopper_cipher_do_ctracpkm(ctx, out, in, inl);
570 /* As in and out can be the same pointer, process decrypted here */
571 if (!EVP_CIPHER_CTX_encrypting(ctx))
572 EVP_DigestSignUpdate(c->omac_ctx, out, inl);
577 * Fixed 128-bit IV implementation make shift regiser redundant.
579 static void gost_grasshopper_cnt_next(gost_grasshopper_cipher_ctx * ctx,
580 grasshopper_w128_t * iv,
581 grasshopper_w128_t * buf)
583 grasshopper_w128_t tmp;
584 memcpy(&tmp, iv, 16);
585 grasshopper_encrypt_block(&ctx->encrypt_round_keys, &tmp,
590 int gost_grasshopper_cipher_do_ofb(EVP_CIPHER_CTX *ctx, unsigned char *out,
591 const unsigned char *in, size_t inl)
593 gost_grasshopper_cipher_ctx *c = (gost_grasshopper_cipher_ctx *)
594 EVP_CIPHER_CTX_get_cipher_data(ctx);
595 const unsigned char *in_ptr = in;
596 unsigned char *out_ptr = out;
597 unsigned char *buf = EVP_CIPHER_CTX_buf_noconst(ctx);
598 unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
599 int num = EVP_CIPHER_CTX_num(ctx);
603 /* process partial block if any */
605 for (j = (size_t)num, i = 0; j < GRASSHOPPER_BLOCK_SIZE && i < inl;
606 j++, i++, in_ptr++, out_ptr++) {
607 *out_ptr = buf[j] ^ (*in_ptr);
609 if (j == GRASSHOPPER_BLOCK_SIZE) {
610 EVP_CIPHER_CTX_set_num(ctx, 0);
612 EVP_CIPHER_CTX_set_num(ctx, (int)j);
617 for (; i + GRASSHOPPER_BLOCK_SIZE <
619 i += GRASSHOPPER_BLOCK_SIZE, in_ptr +=
620 GRASSHOPPER_BLOCK_SIZE, out_ptr += GRASSHOPPER_BLOCK_SIZE) {
622 * block cipher current iv
625 gost_grasshopper_cnt_next(c, (grasshopper_w128_t *) iv,
626 (grasshopper_w128_t *) buf);
629 * xor next block of input text with it and output it
634 for (j = 0; j < GRASSHOPPER_BLOCK_SIZE; j++) {
635 out_ptr[j] = buf[j] ^ in_ptr[j];
639 /* Process rest of buffer */
641 gost_grasshopper_cnt_next(c, (grasshopper_w128_t *) iv,
642 (grasshopper_w128_t *) buf);
643 for (j = 0; i < inl; j++, i++) {
644 out_ptr[j] = buf[j] ^ in_ptr[j];
646 EVP_CIPHER_CTX_set_num(ctx, (int)j);
648 EVP_CIPHER_CTX_set_num(ctx, 0);
654 int gost_grasshopper_cipher_do_cfb(EVP_CIPHER_CTX *ctx, unsigned char *out,
655 const unsigned char *in, size_t inl)
657 gost_grasshopper_cipher_ctx *c =
658 (gost_grasshopper_cipher_ctx *) EVP_CIPHER_CTX_get_cipher_data(ctx);
659 const unsigned char *in_ptr = in;
660 unsigned char *out_ptr = out;
661 unsigned char *buf = EVP_CIPHER_CTX_buf_noconst(ctx);
662 unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
663 bool encrypting = (bool) EVP_CIPHER_CTX_encrypting(ctx);
664 int num = EVP_CIPHER_CTX_num(ctx);
668 /* process partial block if any */
670 for (j = (size_t)num, i = 0; j < GRASSHOPPER_BLOCK_SIZE && i < inl;
671 j++, i++, in_ptr++, out_ptr++) {
673 buf[j + GRASSHOPPER_BLOCK_SIZE] = *in_ptr;
675 *out_ptr = buf[j] ^ (*in_ptr);
677 buf[j + GRASSHOPPER_BLOCK_SIZE] = *out_ptr;
680 if (j == GRASSHOPPER_BLOCK_SIZE) {
681 memcpy(iv, buf + GRASSHOPPER_BLOCK_SIZE, GRASSHOPPER_BLOCK_SIZE);
682 EVP_CIPHER_CTX_set_num(ctx, 0);
684 EVP_CIPHER_CTX_set_num(ctx, (int)j);
689 for (; i + GRASSHOPPER_BLOCK_SIZE <
691 i += GRASSHOPPER_BLOCK_SIZE, in_ptr +=
692 GRASSHOPPER_BLOCK_SIZE, out_ptr += GRASSHOPPER_BLOCK_SIZE) {
694 * block cipher current iv
696 grasshopper_encrypt_block(&c->encrypt_round_keys,
697 (grasshopper_w128_t *) iv,
698 (grasshopper_w128_t *) buf, &c->buffer);
700 * xor next block of input text with it and output it
706 memcpy(iv, in_ptr, GRASSHOPPER_BLOCK_SIZE);
708 for (j = 0; j < GRASSHOPPER_BLOCK_SIZE; j++) {
709 out_ptr[j] = buf[j] ^ in_ptr[j];
712 /* Next iv is next block of cipher text */
714 memcpy(iv, out_ptr, GRASSHOPPER_BLOCK_SIZE);
718 /* Process rest of buffer */
720 grasshopper_encrypt_block(&c->encrypt_round_keys,
721 (grasshopper_w128_t *) iv,
722 (grasshopper_w128_t *) buf, &c->buffer);
724 memcpy(buf + GRASSHOPPER_BLOCK_SIZE, in_ptr, inl - i);
726 for (j = 0; i < inl; j++, i++) {
727 out_ptr[j] = buf[j] ^ in_ptr[j];
729 EVP_CIPHER_CTX_set_num(ctx, (int)j);
731 memcpy(buf + GRASSHOPPER_BLOCK_SIZE, out_ptr, j);
734 EVP_CIPHER_CTX_set_num(ctx, 0);
740 int gost_grasshopper_cipher_cleanup(EVP_CIPHER_CTX *ctx)
742 gost_grasshopper_cipher_ctx *c =
743 (gost_grasshopper_cipher_ctx *) EVP_CIPHER_CTX_get_cipher_data(ctx);
748 if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_CTR_MODE)
749 gost_grasshopper_cipher_destroy_ctr(c);
751 EVP_CIPHER_CTX_set_app_data(ctx, NULL);
756 int gost_grasshopper_set_asn1_parameters(EVP_CIPHER_CTX *ctx, ASN1_TYPE *params)
758 if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_CTR_MODE) {
759 gost_grasshopper_cipher_ctx_ctr *ctr = EVP_CIPHER_CTX_get_cipher_data(ctx);
761 /* CMS implies 256kb section_size */
762 ctr->section_size = 256*1024;
764 return gost2015_set_asn1_params(params, EVP_CIPHER_CTX_original_iv(ctx), 8,
770 GRASSHOPPER_INLINE int gost_grasshopper_get_asn1_parameters(EVP_CIPHER_CTX
774 if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_CTR_MODE) {
775 gost_grasshopper_cipher_ctx_ctr *ctr = EVP_CIPHER_CTX_get_cipher_data(ctx);
778 unsigned char iv[16];
780 if (gost2015_get_asn1_params(params, 16, iv, 8, ctr->kdf_seed) == 0) {
784 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, iv_len);
785 memcpy((unsigned char *)EVP_CIPHER_CTX_original_iv(ctx), iv, iv_len);
787 /* CMS implies 256kb section_size */
788 ctr->section_size = 256*1024;
794 int gost_grasshopper_cipher_ctl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
797 case EVP_CTRL_RAND_KEY:{
799 ((unsigned char *)ptr, EVP_CIPHER_CTX_key_length(ctx)) <= 0) {
800 GOSTerr(GOST_F_GOST_GRASSHOPPER_CIPHER_CTL, GOST_R_RNG_ERROR);
805 case EVP_CTRL_KEY_MESH:{
806 gost_grasshopper_cipher_ctx_ctr *c =
807 EVP_CIPHER_CTX_get_cipher_data(ctx);
808 if ((c->c.type != GRASSHOPPER_CIPHER_CTRACPKM &&
809 c->c.type != GRASSHOPPER_CIPHER_CTRACPKMOMAC)
811 || (arg % GRASSHOPPER_BLOCK_SIZE))
813 c->section_size = arg;
816 #ifdef EVP_CTRL_TLS1_2_TLSTREE
817 case EVP_CTRL_TLS1_2_TLSTREE:
819 unsigned char newkey[32];
820 int mode = EVP_CIPHER_CTX_mode(ctx);
821 static const unsigned char zeroseq[8];
822 gost_grasshopper_cipher_ctx_ctr *ctr_ctx = NULL;
823 gost_grasshopper_cipher_ctx *c = NULL;
825 unsigned char adjusted_iv[16];
826 unsigned char seq[8];
828 if (mode != EVP_CIPH_CTR_MODE)
831 ctr_ctx = (gost_grasshopper_cipher_ctx_ctr *)
832 EVP_CIPHER_CTX_get_cipher_data(ctx);
836 if (EVP_CIPHER_CTX_encrypting(ctx)) {
838 * OpenSSL increments seq after mac calculation.
839 * As we have Mac-Then-Encrypt, we need decrement it here on encryption
840 * to derive the key correctly.
842 if (memcmp(seq, zeroseq, 8) != 0)
846 if (seq[j] != 0) {seq[j]--; break;}
851 if (gost_tlstree(NID_grasshopper_cbc, c->master_key.k.b, newkey,
852 (const unsigned char *)seq) > 0) {
853 memset(adjusted_iv, 0, 16);
854 memcpy(adjusted_iv, EVP_CIPHER_CTX_original_iv(ctx), 8);
855 for(j=7,carry=0; j>=0; j--)
857 int adj_byte = adjusted_iv[j]+seq[j]+carry;
858 carry = (adj_byte > 255) ? 1 : 0;
859 adjusted_iv[j] = adj_byte & 0xFF;
861 EVP_CIPHER_CTX_set_num(ctx, 0);
862 memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), adjusted_iv, 16);
864 gost_grasshopper_cipher_key(c, newkey);
871 case EVP_CTRL_AEAD_GET_TAG:
872 case EVP_CTRL_AEAD_SET_TAG:
875 unsigned char *tag = ptr;
877 gost_grasshopper_cipher_ctx *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
878 if (c->c.type != GRASSHOPPER_CIPHER_MGM)
881 if (taglen > KUZNYECHIK_MAC_MAX_SIZE) {
882 CRYPTOCOMerr(CRYPTOCOM_F_GOST_GRASSHOPPER_CIPHER_CTL,
883 CRYPTOCOM_R_INVALID_TAG_LENGTH);
887 if (type == EVP_CTRL_AEAD_GET_TAG)
888 memcpy(tag, c->final_tag, taglen);
890 memcpy(c->final_tag, tag, taglen);
895 case EVP_CTRL_PROCESS_UNPROTECTED:
897 STACK_OF(X509_ATTRIBUTE) *x = ptr;
898 gost_grasshopper_cipher_ctx_ctr *c = EVP_CIPHER_CTX_get_cipher_data(ctx);
900 if (c->c.type != GRASSHOPPER_CIPHER_CTRACPKMOMAC)
903 return gost2015_process_unprotected_attributes(x, arg, KUZNYECHIK_MAC_MAX_SIZE, c->tag);
906 case EVP_CTRL_COPY: {
907 EVP_CIPHER_CTX *out = ptr;
909 gost_grasshopper_cipher_ctx_ctr *out_cctx = EVP_CIPHER_CTX_get_cipher_data(out);
910 gost_grasshopper_cipher_ctx_ctr *in_cctx = EVP_CIPHER_CTX_get_cipher_data(ctx);
912 if (in_cctx->c.type != GRASSHOPPER_CIPHER_CTRACPKMOMAC)
915 if (in_cctx->omac_ctx == out_cctx->omac_ctx) {
916 out_cctx->omac_ctx = EVP_MD_CTX_new();
917 if (out_cctx->omac_ctx == NULL) {
918 GOSTerr(GOST_F_GOST_GRASSHOPPER_CIPHER_CTL, ERR_R_MALLOC_FAILURE);
922 return EVP_MD_CTX_copy(out_cctx->omac_ctx, in_cctx->omac_ctx);
925 GOSTerr(GOST_F_GOST_GRASSHOPPER_CIPHER_CTL,
926 GOST_R_UNSUPPORTED_CIPHER_CTL_COMMAND);
932 const GRASSHOPPER_INLINE EVP_CIPHER *cipher_gost_grasshopper_ctracpkm()
934 return GOST_init_cipher(&grasshopper_ctr_acpkm_cipher);
936 /* vim: set expandtab cinoptions=\:0,l1,t0,g0,(0 sw=4 : */
projects / openssl-gost / engine.git / blob