1 /*
   2  * Copyright (c) 2003 Markus Friedl <markus@openbsd.org>
   3  *
   4  * Permission to use, copy, modify, and distribute this software for any
   5  * purpose with or without fee is hereby granted, provided that the above
   6  * copyright notice and this permission notice appear in all copies.
   7  *
   8  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
   9  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
  10  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
  11  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
  12  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  13  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  14  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  15  */
  16 /*
  17  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  18  * Use is subject to license terms.
  19  */
  20 
  21 #include "includes.h"
  22 RCSID("$OpenBSD: cipher-ctr.c,v 1.4 2004/02/06 23:41:13 dtucker Exp $");
  23 
  24 #include <openssl/evp.h>
  25 
  26 #include "log.h"
  27 #include "xmalloc.h"
  28 #include <openssl/aes.h>
  29 
  30 const EVP_CIPHER *evp_aes_128_ctr(void);
  31 void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
  32 
  33 struct ssh_aes_ctr_ctx
  34 {
  35         AES_KEY         aes_ctx;
  36         u_char          aes_counter[AES_BLOCK_SIZE];
  37 };
  38 
  39 /*
  40  * increment counter 'ctr',
  41  * the counter is of size 'len' bytes and stored in network-byte-order.
  42  * (LSB at ctr[len-1], MSB at ctr[0])
  43  */
  44 static void
  45 ssh_ctr_inc(u_char *ctr, u_int len)
  46 {
  47         int i;
  48 
  49         for (i = len - 1; i >= 0; i--)
  50                 if (++ctr[i])   /* continue on overflow */
  51                         return;
  52 }
  53 
  54 static int
  55 ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src,
  56     u_int len)
  57 {
  58         struct ssh_aes_ctr_ctx *c;
  59         u_int n = 0;
  60         u_char buf[AES_BLOCK_SIZE];
  61 
  62         if (len == 0)
  63                 return (1);
  64         if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL)
  65                 return (0);
  66 
  67         while ((len--) > 0) {
  68                 if (n == 0) {
  69                         AES_encrypt(c->aes_counter, buf, &c->aes_ctx);
  70                         ssh_ctr_inc(c->aes_counter, AES_BLOCK_SIZE);
  71                 }
  72                 *(dest++) = *(src++) ^ buf[n];
  73                 n = (n + 1) % AES_BLOCK_SIZE;
  74         }
  75         return (1);
  76 }
  77 
  78 static int
  79 ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
  80     int enc)
  81 {
  82         struct ssh_aes_ctr_ctx *c;
  83 
  84         if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
  85                 c = xmalloc(sizeof(*c));
  86                 EVP_CIPHER_CTX_set_app_data(ctx, c);
  87         }
  88         if (key != NULL)
  89                 AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
  90                      &c->aes_ctx);
  91         if (iv != NULL)
  92                 memcpy(c->aes_counter, iv, AES_BLOCK_SIZE);
  93         return (1);
  94 }
  95 
  96 static int
  97 ssh_aes_ctr_cleanup(EVP_CIPHER_CTX *ctx)
  98 {
  99         struct ssh_aes_ctr_ctx *c;
 100 
 101         if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
 102                 memset(c, 0, sizeof(*c));
 103                 xfree(c);
 104                 EVP_CIPHER_CTX_set_app_data(ctx, NULL);
 105         }
 106         return (1);
 107 }
 108 
 109 void
 110 ssh_aes_ctr_iv(EVP_CIPHER_CTX *evp, int doset, u_char * iv, u_int len)
 111 {
 112         struct ssh_aes_ctr_ctx *c;
 113 
 114         if ((c = EVP_CIPHER_CTX_get_app_data(evp)) == NULL)
 115                 fatal("ssh_aes_ctr_iv: no context");
 116         if (doset)
 117                 memcpy(c->aes_counter, iv, len);
 118         else
 119                 memcpy(iv, c->aes_counter, len);
 120 }
 121 
 122 /*
 123  * Function fills an EVP_CIPHER structure for AES CTR functions based on the NID
 124  * and the key length.
 125  */
 126 static const EVP_CIPHER *
 127 evp_aes_ctr(const char *nid, int key_len, EVP_CIPHER *aes_ctr)
 128 {
 129         memset(aes_ctr, 0, sizeof(EVP_CIPHER));
 130         /*
 131          * If the PKCS#11 engine is used the AES CTR NIDs were dynamically
 132          * created during the engine initialization. If the engine is not used
 133          * we work with NID_undef's which is OK since in that case OpenSSL
 134          * doesn't use NIDs at all.
 135          */
 136         if ((aes_ctr->nid = OBJ_ln2nid(nid)) != NID_undef)
 137                 debug3("%s NID found", nid);
 138 
 139         aes_ctr->block_size = AES_BLOCK_SIZE;
 140         aes_ctr->iv_len = AES_BLOCK_SIZE;
 141         aes_ctr->key_len = key_len;
 142         aes_ctr->init = ssh_aes_ctr_init;
 143         aes_ctr->cleanup = ssh_aes_ctr_cleanup;
 144         aes_ctr->do_cipher = ssh_aes_ctr;
 145         aes_ctr->flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
 146             EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
 147         return (aes_ctr);
 148 }
 149 
 150 const EVP_CIPHER *
 151 evp_aes_128_ctr(void)
 152 {
 153         static EVP_CIPHER aes_ctr;
 154 
 155         return (evp_aes_ctr("aes-128-ctr", 16, &aes_ctr));
 156 }
 157 
 158 const EVP_CIPHER *
 159 evp_aes_192_ctr(void)
 160 {
 161         static EVP_CIPHER aes_ctr;
 162 
 163         return (evp_aes_ctr("aes-192-ctr", 24, &aes_ctr));
 164 }
 165 
 166 const EVP_CIPHER *
 167 evp_aes_256_ctr(void)
 168 {
 169         static EVP_CIPHER aes_ctr;
 170 
 171         return (evp_aes_ctr("aes-256-ctr", 32, &aes_ctr));
 172 }