Line data Source code
1 : /* cipher.c - cipher dispatcher
2 : * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003
3 : * 2005, 2007, 2008, 2009, 2011 Free Software Foundation, Inc.
4 : * Copyright (C) 2013 g10 Code GmbH
5 : *
6 : * This file is part of Libgcrypt.
7 : *
8 : * Libgcrypt is free software; you can redistribute it and/or modify
9 : * it under the terms of the GNU Lesser general Public License as
10 : * published by the Free Software Foundation; either version 2.1 of
11 : * the License, or (at your option) any later version.
12 : *
13 : * Libgcrypt is distributed in the hope that it will be useful,
14 : * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 : * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 : * GNU Lesser General Public License for more details.
17 : *
18 : * You should have received a copy of the GNU Lesser General Public
19 : * License along with this program; if not, see <http://www.gnu.org/licenses/>.
20 : */
21 :
22 : #include <config.h>
23 : #include <stdio.h>
24 : #include <stdlib.h>
25 : #include <string.h>
26 : #include <errno.h>
27 :
28 : #include "g10lib.h"
29 : #include "../src/gcrypt-testapi.h"
30 : #include "cipher.h"
31 : #include "./cipher-internal.h"
32 :
33 :
34 : /* This is the list of the default ciphers, which are included in
35 : libgcrypt. */
36 : static gcry_cipher_spec_t *cipher_list[] =
37 : {
38 : #if USE_BLOWFISH
39 : &_gcry_cipher_spec_blowfish,
40 : #endif
41 : #if USE_DES
42 : &_gcry_cipher_spec_des,
43 : &_gcry_cipher_spec_tripledes,
44 : #endif
45 : #if USE_ARCFOUR
46 : &_gcry_cipher_spec_arcfour,
47 : #endif
48 : #if USE_CAST5
49 : &_gcry_cipher_spec_cast5,
50 : #endif
51 : #if USE_AES
52 : &_gcry_cipher_spec_aes,
53 : &_gcry_cipher_spec_aes192,
54 : &_gcry_cipher_spec_aes256,
55 : #endif
56 : #if USE_TWOFISH
57 : &_gcry_cipher_spec_twofish,
58 : &_gcry_cipher_spec_twofish128,
59 : #endif
60 : #if USE_SERPENT
61 : &_gcry_cipher_spec_serpent128,
62 : &_gcry_cipher_spec_serpent192,
63 : &_gcry_cipher_spec_serpent256,
64 : #endif
65 : #if USE_RFC2268
66 : &_gcry_cipher_spec_rfc2268_40,
67 : &_gcry_cipher_spec_rfc2268_128,
68 : #endif
69 : #if USE_SEED
70 : &_gcry_cipher_spec_seed,
71 : #endif
72 : #if USE_CAMELLIA
73 : &_gcry_cipher_spec_camellia128,
74 : &_gcry_cipher_spec_camellia192,
75 : &_gcry_cipher_spec_camellia256,
76 : #endif
77 : #ifdef USE_IDEA
78 : &_gcry_cipher_spec_idea,
79 : #endif
80 : #if USE_SALSA20
81 : &_gcry_cipher_spec_salsa20,
82 : &_gcry_cipher_spec_salsa20r12,
83 : #endif
84 : #if USE_GOST28147
85 : &_gcry_cipher_spec_gost28147,
86 : #endif
87 : #if USE_CHACHA20
88 : &_gcry_cipher_spec_chacha20,
89 : #endif
90 : NULL
91 : };
92 :
93 :
94 :
95 : �
96 : static int
97 0 : map_algo (int algo)
98 : {
99 0 : return algo;
100 : }
101 :
102 :
103 : /* Return the spec structure for the cipher algorithm ALGO. For
104 : an unknown algorithm NULL is returned. */
105 : static gcry_cipher_spec_t *
106 0 : spec_from_algo (int algo)
107 : {
108 : int idx;
109 : gcry_cipher_spec_t *spec;
110 :
111 0 : algo = map_algo (algo);
112 :
113 0 : for (idx = 0; (spec = cipher_list[idx]); idx++)
114 0 : if (algo == spec->algo)
115 0 : return spec;
116 0 : return NULL;
117 : }
118 :
119 :
120 : /* Lookup a cipher's spec by its name. */
121 : static gcry_cipher_spec_t *
122 0 : spec_from_name (const char *name)
123 : {
124 : gcry_cipher_spec_t *spec;
125 : int idx;
126 : const char **aliases;
127 :
128 0 : for (idx=0; (spec = cipher_list[idx]); idx++)
129 : {
130 0 : if (!stricmp (name, spec->name))
131 0 : return spec;
132 0 : if (spec->aliases)
133 : {
134 0 : for (aliases = spec->aliases; *aliases; aliases++)
135 0 : if (!stricmp (name, *aliases))
136 0 : return spec;
137 : }
138 : }
139 :
140 0 : return NULL;
141 : }
142 :
143 :
144 : /* Lookup a cipher's spec by its OID. */
145 : static gcry_cipher_spec_t *
146 0 : spec_from_oid (const char *oid)
147 : {
148 : gcry_cipher_spec_t *spec;
149 : gcry_cipher_oid_spec_t *oid_specs;
150 : int idx, j;
151 :
152 0 : for (idx=0; (spec = cipher_list[idx]); idx++)
153 : {
154 0 : oid_specs = spec->oids;
155 0 : if (oid_specs)
156 : {
157 0 : for (j = 0; oid_specs[j].oid; j++)
158 0 : if (!stricmp (oid, oid_specs[j].oid))
159 0 : return spec;
160 : }
161 : }
162 :
163 0 : return NULL;
164 : }
165 :
166 :
167 : /* Locate the OID in the oid table and return the spec or NULL if not
168 : found. An optional "oid." or "OID." prefix in OID is ignored, the
169 : OID is expected to be in standard IETF dotted notation. A pointer
170 : to the OID specification of the module implementing this algorithm
171 : is return in OID_SPEC unless passed as NULL.*/
172 : static gcry_cipher_spec_t *
173 0 : search_oid (const char *oid, gcry_cipher_oid_spec_t *oid_spec)
174 : {
175 : gcry_cipher_spec_t *spec;
176 : int i;
177 :
178 0 : if (!oid)
179 0 : return NULL;
180 :
181 0 : if (!strncmp (oid, "oid.", 4) || !strncmp (oid, "OID.", 4))
182 0 : oid += 4;
183 :
184 0 : spec = spec_from_oid (oid);
185 0 : if (spec && spec->oids)
186 : {
187 0 : for (i = 0; spec->oids[i].oid; i++)
188 0 : if (!stricmp (oid, spec->oids[i].oid))
189 : {
190 0 : if (oid_spec)
191 0 : *oid_spec = spec->oids[i];
192 0 : return spec;
193 : }
194 : }
195 :
196 0 : return NULL;
197 : }
198 :
199 :
200 : /* Map STRING to the cipher algorithm identifier. Returns the
201 : algorithm ID of the cipher for the given name or 0 if the name is
202 : not known. It is valid to pass NULL for STRING which results in a
203 : return value of 0. */
204 : int
205 0 : _gcry_cipher_map_name (const char *string)
206 : {
207 : gcry_cipher_spec_t *spec;
208 :
209 0 : if (!string)
210 0 : return 0;
211 :
212 : /* If the string starts with a digit (optionally prefixed with
213 : either "OID." or "oid."), we first look into our table of ASN.1
214 : object identifiers to figure out the algorithm */
215 :
216 0 : spec = search_oid (string, NULL);
217 0 : if (spec)
218 0 : return spec->algo;
219 :
220 0 : spec = spec_from_name (string);
221 0 : if (spec)
222 0 : return spec->algo;
223 :
224 0 : return 0;
225 : }
226 :
227 :
228 : /* Given a STRING with an OID in dotted decimal notation, this
229 : function returns the cipher mode (GCRY_CIPHER_MODE_*) associated
230 : with that OID or 0 if no mode is known. Passing NULL for string
231 : yields a return value of 0. */
232 : int
233 0 : _gcry_cipher_mode_from_oid (const char *string)
234 : {
235 : gcry_cipher_spec_t *spec;
236 : gcry_cipher_oid_spec_t oid_spec;
237 :
238 0 : if (!string)
239 0 : return 0;
240 :
241 0 : spec = search_oid (string, &oid_spec);
242 0 : if (spec)
243 0 : return oid_spec.mode;
244 :
245 0 : return 0;
246 : }
247 :
248 :
249 : /* Map the cipher algorithm identifier ALGORITHM to a string
250 : representing this algorithm. This string is the default name as
251 : used by Libgcrypt. A "?" is returned for an unknown algorithm.
252 : NULL is never returned. */
253 : const char *
254 0 : _gcry_cipher_algo_name (int algorithm)
255 : {
256 : gcry_cipher_spec_t *spec;
257 :
258 0 : spec = spec_from_algo (algorithm);
259 0 : return spec? spec->name : "?";
260 : }
261 :
262 :
263 : /* Flag the cipher algorithm with the identifier ALGORITHM as
264 : disabled. There is no error return, the function does nothing for
265 : unknown algorithms. Disabled algorithms are virtually not
266 : available in Libgcrypt. This is not thread safe and should thus be
267 : called early. */
268 : static void
269 0 : disable_cipher_algo (int algo)
270 : {
271 0 : gcry_cipher_spec_t *spec = spec_from_algo (algo);
272 :
273 0 : if (spec)
274 0 : spec->flags.disabled = 1;
275 0 : }
276 :
277 :
278 : /* Return 0 if the cipher algorithm with identifier ALGORITHM is
279 : available. Returns a basic error code value if it is not
280 : available. */
281 : static gcry_err_code_t
282 0 : check_cipher_algo (int algorithm)
283 : {
284 : gcry_cipher_spec_t *spec;
285 :
286 0 : spec = spec_from_algo (algorithm);
287 0 : if (spec && !spec->flags.disabled)
288 0 : return 0;
289 :
290 0 : return GPG_ERR_CIPHER_ALGO;
291 : }
292 :
293 :
294 : /* Return the standard length in bits of the key for the cipher
295 : algorithm with the identifier ALGORITHM. */
296 : static unsigned int
297 0 : cipher_get_keylen (int algorithm)
298 : {
299 : gcry_cipher_spec_t *spec;
300 0 : unsigned len = 0;
301 :
302 0 : spec = spec_from_algo (algorithm);
303 0 : if (spec)
304 : {
305 0 : len = spec->keylen;
306 0 : if (!len)
307 0 : log_bug ("cipher %d w/o key length\n", algorithm);
308 : }
309 :
310 0 : return len;
311 : }
312 :
313 :
314 : /* Return the block length of the cipher algorithm with the identifier
315 : ALGORITHM. This function return 0 for an invalid algorithm. */
316 : static unsigned int
317 0 : cipher_get_blocksize (int algorithm)
318 : {
319 : gcry_cipher_spec_t *spec;
320 0 : unsigned len = 0;
321 :
322 0 : spec = spec_from_algo (algorithm);
323 0 : if (spec)
324 : {
325 0 : len = spec->blocksize;
326 0 : if (!len)
327 0 : log_bug ("cipher %d w/o blocksize\n", algorithm);
328 : }
329 :
330 0 : return len;
331 : }
332 :
333 :
334 : /*
335 : Open a cipher handle for use with cipher algorithm ALGORITHM, using
336 : the cipher mode MODE (one of the GCRY_CIPHER_MODE_*) and return a
337 : handle in HANDLE. Put NULL into HANDLE and return an error code if
338 : something goes wrong. FLAGS may be used to modify the
339 : operation. The defined flags are:
340 :
341 : GCRY_CIPHER_SECURE: allocate all internal buffers in secure memory.
342 : GCRY_CIPHER_ENABLE_SYNC: Enable the sync operation as used in OpenPGP.
343 : GCRY_CIPHER_CBC_CTS: Enable CTS mode.
344 : GCRY_CIPHER_CBC_MAC: Enable MAC mode.
345 :
346 : Values for these flags may be combined using OR.
347 : */
348 : gcry_err_code_t
349 0 : _gcry_cipher_open (gcry_cipher_hd_t *handle,
350 : int algo, int mode, unsigned int flags)
351 : {
352 : gcry_err_code_t rc;
353 0 : gcry_cipher_hd_t h = NULL;
354 :
355 0 : if (mode >= GCRY_CIPHER_MODE_INTERNAL)
356 0 : rc = GPG_ERR_INV_CIPHER_MODE;
357 : else
358 0 : rc = _gcry_cipher_open_internal (&h, algo, mode, flags);
359 :
360 0 : *handle = rc ? NULL : h;
361 :
362 0 : return rc;
363 : }
364 :
365 :
366 : gcry_err_code_t
367 0 : _gcry_cipher_open_internal (gcry_cipher_hd_t *handle,
368 : int algo, int mode, unsigned int flags)
369 : {
370 0 : int secure = (flags & GCRY_CIPHER_SECURE);
371 : gcry_cipher_spec_t *spec;
372 0 : gcry_cipher_hd_t h = NULL;
373 : gcry_err_code_t err;
374 :
375 : /* If the application missed to call the random poll function, we do
376 : it here to ensure that it is used once in a while. */
377 0 : _gcry_fast_random_poll ();
378 :
379 0 : spec = spec_from_algo (algo);
380 0 : if (!spec)
381 0 : err = GPG_ERR_CIPHER_ALGO;
382 0 : else if (spec->flags.disabled)
383 0 : err = GPG_ERR_CIPHER_ALGO;
384 : else
385 0 : err = 0;
386 :
387 : /* check flags */
388 0 : if ((! err)
389 0 : && ((flags & ~(0
390 : | GCRY_CIPHER_SECURE
391 : | GCRY_CIPHER_ENABLE_SYNC
392 : | GCRY_CIPHER_CBC_CTS
393 : | GCRY_CIPHER_CBC_MAC))
394 : || (flags & GCRY_CIPHER_CBC_CTS & GCRY_CIPHER_CBC_MAC)))
395 0 : err = GPG_ERR_CIPHER_ALGO;
396 :
397 : /* check that a valid mode has been requested */
398 0 : if (! err)
399 0 : switch (mode)
400 : {
401 : case GCRY_CIPHER_MODE_CCM:
402 0 : if (spec->blocksize != GCRY_CCM_BLOCK_LEN)
403 0 : err = GPG_ERR_INV_CIPHER_MODE;
404 0 : if (!spec->encrypt || !spec->decrypt)
405 0 : err = GPG_ERR_INV_CIPHER_MODE;
406 0 : break;
407 :
408 : case GCRY_CIPHER_MODE_ECB:
409 : case GCRY_CIPHER_MODE_CBC:
410 : case GCRY_CIPHER_MODE_CFB:
411 : case GCRY_CIPHER_MODE_OFB:
412 : case GCRY_CIPHER_MODE_CTR:
413 : case GCRY_CIPHER_MODE_AESWRAP:
414 : case GCRY_CIPHER_MODE_CMAC:
415 : case GCRY_CIPHER_MODE_GCM:
416 0 : if (!spec->encrypt || !spec->decrypt)
417 0 : err = GPG_ERR_INV_CIPHER_MODE;
418 0 : break;
419 :
420 : case GCRY_CIPHER_MODE_POLY1305:
421 0 : if (!spec->stencrypt || !spec->stdecrypt || !spec->setiv)
422 0 : err = GPG_ERR_INV_CIPHER_MODE;
423 0 : else if (spec->algo != GCRY_CIPHER_CHACHA20)
424 0 : err = GPG_ERR_INV_CIPHER_MODE;
425 0 : break;
426 :
427 : case GCRY_CIPHER_MODE_OCB:
428 : /* Note that our implementation allows only for 128 bit block
429 : length algorithms. Lower block lengths would be possible
430 : but we do not implement them because they limit the
431 : security too much. */
432 0 : if (!spec->encrypt || !spec->decrypt)
433 0 : err = GPG_ERR_INV_CIPHER_MODE;
434 0 : else if (spec->blocksize != (128/8))
435 0 : err = GPG_ERR_INV_CIPHER_MODE;
436 0 : break;
437 :
438 : case GCRY_CIPHER_MODE_STREAM:
439 0 : if (!spec->stencrypt || !spec->stdecrypt)
440 0 : err = GPG_ERR_INV_CIPHER_MODE;
441 0 : break;
442 :
443 : case GCRY_CIPHER_MODE_NONE:
444 : /* This mode may be used for debugging. It copies the main
445 : text verbatim to the ciphertext. We do not allow this in
446 : fips mode or if no debug flag has been set. */
447 0 : if (fips_mode () || !_gcry_get_debug_flag (0))
448 0 : err = GPG_ERR_INV_CIPHER_MODE;
449 0 : break;
450 :
451 : default:
452 0 : err = GPG_ERR_INV_CIPHER_MODE;
453 : }
454 :
455 : /* Perform selftest here and mark this with a flag in cipher_table?
456 : No, we should not do this as it takes too long. Further it does
457 : not make sense to exclude algorithms with failing selftests at
458 : runtime: If a selftest fails there is something seriously wrong
459 : with the system and thus we better die immediately. */
460 :
461 0 : if (! err)
462 : {
463 0 : size_t size = (sizeof (*h)
464 0 : + 2 * spec->contextsize
465 : - sizeof (cipher_context_alignment_t)
466 : #ifdef NEED_16BYTE_ALIGNED_CONTEXT
467 : + 15 /* Space for leading alignment gap. */
468 : #endif /*NEED_16BYTE_ALIGNED_CONTEXT*/
469 : );
470 :
471 0 : if (secure)
472 0 : h = xtrycalloc_secure (1, size);
473 : else
474 0 : h = xtrycalloc (1, size);
475 :
476 0 : if (! h)
477 0 : err = gpg_err_code_from_syserror ();
478 : else
479 : {
480 0 : size_t off = 0;
481 :
482 : #ifdef NEED_16BYTE_ALIGNED_CONTEXT
483 0 : if ( ((uintptr_t)h & 0x0f) )
484 : {
485 : /* The malloced block is not aligned on a 16 byte
486 : boundary. Correct for this. */
487 0 : off = 16 - ((uintptr_t)h & 0x0f);
488 0 : h = (void*)((char*)h + off);
489 : }
490 : #endif /*NEED_16BYTE_ALIGNED_CONTEXT*/
491 :
492 0 : h->magic = secure ? CTX_MAGIC_SECURE : CTX_MAGIC_NORMAL;
493 0 : h->actual_handle_size = size - off;
494 0 : h->handle_offset = off;
495 0 : h->spec = spec;
496 0 : h->algo = algo;
497 0 : h->mode = mode;
498 0 : h->flags = flags;
499 :
500 : /* Setup bulk encryption routines. */
501 0 : switch (algo)
502 : {
503 : #ifdef USE_AES
504 : case GCRY_CIPHER_AES128:
505 : case GCRY_CIPHER_AES192:
506 : case GCRY_CIPHER_AES256:
507 0 : h->bulk.cfb_enc = _gcry_aes_cfb_enc;
508 0 : h->bulk.cfb_dec = _gcry_aes_cfb_dec;
509 0 : h->bulk.cbc_enc = _gcry_aes_cbc_enc;
510 0 : h->bulk.cbc_dec = _gcry_aes_cbc_dec;
511 0 : h->bulk.ctr_enc = _gcry_aes_ctr_enc;
512 0 : h->bulk.ocb_crypt = _gcry_aes_ocb_crypt;
513 0 : h->bulk.ocb_auth = _gcry_aes_ocb_auth;
514 0 : break;
515 : #endif /*USE_AES*/
516 : #ifdef USE_BLOWFISH
517 : case GCRY_CIPHER_BLOWFISH:
518 0 : h->bulk.cfb_dec = _gcry_blowfish_cfb_dec;
519 0 : h->bulk.cbc_dec = _gcry_blowfish_cbc_dec;
520 0 : h->bulk.ctr_enc = _gcry_blowfish_ctr_enc;
521 0 : break;
522 : #endif /*USE_BLOWFISH*/
523 : #ifdef USE_CAST5
524 : case GCRY_CIPHER_CAST5:
525 0 : h->bulk.cfb_dec = _gcry_cast5_cfb_dec;
526 0 : h->bulk.cbc_dec = _gcry_cast5_cbc_dec;
527 0 : h->bulk.ctr_enc = _gcry_cast5_ctr_enc;
528 0 : break;
529 : #endif /*USE_CAMELLIA*/
530 : #ifdef USE_CAMELLIA
531 : case GCRY_CIPHER_CAMELLIA128:
532 : case GCRY_CIPHER_CAMELLIA192:
533 : case GCRY_CIPHER_CAMELLIA256:
534 0 : h->bulk.cbc_dec = _gcry_camellia_cbc_dec;
535 0 : h->bulk.cfb_dec = _gcry_camellia_cfb_dec;
536 0 : h->bulk.ctr_enc = _gcry_camellia_ctr_enc;
537 0 : h->bulk.ocb_crypt = _gcry_camellia_ocb_crypt;
538 0 : h->bulk.ocb_auth = _gcry_camellia_ocb_auth;
539 0 : break;
540 : #endif /*USE_CAMELLIA*/
541 : #ifdef USE_DES
542 : case GCRY_CIPHER_3DES:
543 0 : h->bulk.cbc_dec = _gcry_3des_cbc_dec;
544 0 : h->bulk.cfb_dec = _gcry_3des_cfb_dec;
545 0 : h->bulk.ctr_enc = _gcry_3des_ctr_enc;
546 0 : break;
547 : #endif /*USE_DES*/
548 : #ifdef USE_SERPENT
549 : case GCRY_CIPHER_SERPENT128:
550 : case GCRY_CIPHER_SERPENT192:
551 : case GCRY_CIPHER_SERPENT256:
552 0 : h->bulk.cbc_dec = _gcry_serpent_cbc_dec;
553 0 : h->bulk.cfb_dec = _gcry_serpent_cfb_dec;
554 0 : h->bulk.ctr_enc = _gcry_serpent_ctr_enc;
555 0 : h->bulk.ocb_crypt = _gcry_serpent_ocb_crypt;
556 0 : h->bulk.ocb_auth = _gcry_serpent_ocb_auth;
557 0 : break;
558 : #endif /*USE_SERPENT*/
559 : #ifdef USE_TWOFISH
560 : case GCRY_CIPHER_TWOFISH:
561 : case GCRY_CIPHER_TWOFISH128:
562 0 : h->bulk.cbc_dec = _gcry_twofish_cbc_dec;
563 0 : h->bulk.cfb_dec = _gcry_twofish_cfb_dec;
564 0 : h->bulk.ctr_enc = _gcry_twofish_ctr_enc;
565 0 : h->bulk.ocb_crypt = _gcry_twofish_ocb_crypt;
566 0 : h->bulk.ocb_auth = _gcry_twofish_ocb_auth;
567 0 : break;
568 : #endif /*USE_TWOFISH*/
569 :
570 : default:
571 0 : break;
572 : }
573 :
574 : /* Setup defaults depending on the mode. */
575 0 : switch (mode)
576 : {
577 : case GCRY_CIPHER_MODE_OCB:
578 0 : h->u_mode.ocb.taglen = 16; /* Bytes. */
579 0 : break;
580 :
581 : default:
582 0 : break;
583 : }
584 :
585 : }
586 : }
587 :
588 : /* Done. */
589 :
590 0 : *handle = err ? NULL : h;
591 :
592 0 : return err;
593 : }
594 :
595 :
596 : /* Release all resources associated with the cipher handle H. H may be
597 : NULL in which case this is a no-operation. */
598 : void
599 0 : _gcry_cipher_close (gcry_cipher_hd_t h)
600 : {
601 : size_t off;
602 :
603 0 : if (!h)
604 0 : return;
605 :
606 0 : if ((h->magic != CTX_MAGIC_SECURE)
607 0 : && (h->magic != CTX_MAGIC_NORMAL))
608 0 : _gcry_fatal_error(GPG_ERR_INTERNAL,
609 : "gcry_cipher_close: already closed/invalid handle");
610 : else
611 0 : h->magic = 0;
612 :
613 : /* We always want to wipe out the memory even when the context has
614 : been allocated in secure memory. The user might have disabled
615 : secure memory or is using his own implementation which does not
616 : do the wiping. To accomplish this we need to keep track of the
617 : actual size of this structure because we have no way to known
618 : how large the allocated area was when using a standard malloc. */
619 0 : off = h->handle_offset;
620 0 : wipememory (h, h->actual_handle_size);
621 :
622 0 : xfree ((char*)h - off);
623 : }
624 :
625 :
626 : /* Set the key to be used for the encryption context C to KEY with
627 : length KEYLEN. The length should match the required length. */
628 : static gcry_err_code_t
629 0 : cipher_setkey (gcry_cipher_hd_t c, byte *key, size_t keylen)
630 : {
631 : gcry_err_code_t rc;
632 :
633 0 : rc = c->spec->setkey (&c->context.c, key, keylen);
634 0 : if (!rc)
635 : {
636 : /* Duplicate initial context. */
637 0 : memcpy ((void *) ((char *) &c->context.c + c->spec->contextsize),
638 0 : (void *) &c->context.c,
639 0 : c->spec->contextsize);
640 0 : c->marks.key = 1;
641 :
642 0 : switch (c->mode)
643 : {
644 : case GCRY_CIPHER_MODE_CMAC:
645 0 : _gcry_cipher_cmac_set_subkeys (c);
646 0 : break;
647 :
648 : case GCRY_CIPHER_MODE_GCM:
649 0 : _gcry_cipher_gcm_setkey (c);
650 0 : break;
651 :
652 : case GCRY_CIPHER_MODE_POLY1305:
653 0 : _gcry_cipher_poly1305_setkey (c);
654 0 : break;
655 :
656 : default:
657 0 : break;
658 : };
659 : }
660 : else
661 0 : c->marks.key = 0;
662 :
663 0 : return rc;
664 : }
665 :
666 :
667 : /* Set the IV to be used for the encryption context C to IV with
668 : length IVLEN. The length should match the required length. */
669 : static gcry_err_code_t
670 0 : cipher_setiv (gcry_cipher_hd_t c, const byte *iv, size_t ivlen)
671 : {
672 : /* If the cipher has its own IV handler, we use only this one. This
673 : is currently used for stream ciphers requiring a nonce. */
674 0 : if (c->spec->setiv)
675 : {
676 0 : c->spec->setiv (&c->context.c, iv, ivlen);
677 0 : return 0;
678 : }
679 :
680 0 : memset (c->u_iv.iv, 0, c->spec->blocksize);
681 0 : if (iv)
682 : {
683 0 : if (ivlen != c->spec->blocksize)
684 : {
685 0 : log_info ("WARNING: cipher_setiv: ivlen=%u blklen=%u\n",
686 0 : (unsigned int)ivlen, (unsigned int)c->spec->blocksize);
687 0 : fips_signal_error ("IV length does not match blocklength");
688 : }
689 0 : if (ivlen > c->spec->blocksize)
690 0 : ivlen = c->spec->blocksize;
691 0 : memcpy (c->u_iv.iv, iv, ivlen);
692 0 : c->marks.iv = 1;
693 : }
694 : else
695 0 : c->marks.iv = 0;
696 0 : c->unused = 0;
697 :
698 0 : return 0;
699 : }
700 :
701 :
702 : /* Reset the cipher context to the initial context. This is basically
703 : the same as an release followed by a new. */
704 : static void
705 0 : cipher_reset (gcry_cipher_hd_t c)
706 : {
707 : unsigned int marks_key;
708 :
709 0 : marks_key = c->marks.key;
710 :
711 0 : memcpy (&c->context.c,
712 0 : (char *) &c->context.c + c->spec->contextsize,
713 0 : c->spec->contextsize);
714 0 : memset (&c->marks, 0, sizeof c->marks);
715 0 : memset (c->u_iv.iv, 0, c->spec->blocksize);
716 0 : memset (c->lastiv, 0, c->spec->blocksize);
717 0 : memset (c->u_ctr.ctr, 0, c->spec->blocksize);
718 0 : c->unused = 0;
719 :
720 0 : c->marks.key = marks_key;
721 :
722 0 : switch (c->mode)
723 : {
724 : case GCRY_CIPHER_MODE_CMAC:
725 : /* Only clear 'tag' for cmac, keep subkeys. */
726 0 : c->u_mode.cmac.tag = 0;
727 0 : break;
728 :
729 : case GCRY_CIPHER_MODE_GCM:
730 : /* Only clear head of u_mode, keep ghash_key and gcm_table. */
731 : {
732 0 : byte *u_mode_pos = (void *)&c->u_mode;
733 0 : byte *ghash_key_pos = c->u_mode.gcm.u_ghash_key.key;
734 0 : size_t u_mode_head_length = ghash_key_pos - u_mode_pos;
735 :
736 0 : memset (&c->u_mode, 0, u_mode_head_length);
737 : }
738 0 : break;
739 :
740 : case GCRY_CIPHER_MODE_POLY1305:
741 0 : memset (&c->u_mode.poly1305, 0, sizeof c->u_mode.poly1305);
742 0 : break;
743 :
744 : case GCRY_CIPHER_MODE_CCM:
745 0 : memset (&c->u_mode.ccm, 0, sizeof c->u_mode.ccm);
746 0 : break;
747 :
748 : case GCRY_CIPHER_MODE_OCB:
749 0 : memset (&c->u_mode.ocb, 0, sizeof c->u_mode.ocb);
750 : /* Setup default taglen. */
751 0 : c->u_mode.ocb.taglen = 16;
752 0 : break;
753 :
754 : default:
755 0 : break; /* u_mode unused by other modes. */
756 : }
757 0 : }
758 :
759 :
760 : �
761 : static gcry_err_code_t
762 0 : do_ecb_crypt (gcry_cipher_hd_t c,
763 : unsigned char *outbuf, size_t outbuflen,
764 : const unsigned char *inbuf, size_t inbuflen,
765 : gcry_cipher_encrypt_t crypt_fn)
766 : {
767 0 : unsigned int blocksize = c->spec->blocksize;
768 : size_t n, nblocks;
769 : unsigned int burn, nburn;
770 :
771 0 : if (outbuflen < inbuflen)
772 0 : return GPG_ERR_BUFFER_TOO_SHORT;
773 0 : if ((inbuflen % blocksize))
774 0 : return GPG_ERR_INV_LENGTH;
775 :
776 0 : nblocks = inbuflen / blocksize;
777 0 : burn = 0;
778 :
779 0 : for (n=0; n < nblocks; n++ )
780 : {
781 0 : nburn = crypt_fn (&c->context.c, outbuf, inbuf);
782 0 : burn = nburn > burn ? nburn : burn;
783 0 : inbuf += blocksize;
784 0 : outbuf += blocksize;
785 : }
786 :
787 0 : if (burn > 0)
788 0 : _gcry_burn_stack (burn + 4 * sizeof(void *));
789 :
790 0 : return 0;
791 : }
792 :
793 : static gcry_err_code_t
794 0 : do_ecb_encrypt (gcry_cipher_hd_t c,
795 : unsigned char *outbuf, size_t outbuflen,
796 : const unsigned char *inbuf, size_t inbuflen)
797 : {
798 0 : return do_ecb_crypt (c, outbuf, outbuflen, inbuf, inbuflen, c->spec->encrypt);
799 : }
800 :
801 : static gcry_err_code_t
802 0 : do_ecb_decrypt (gcry_cipher_hd_t c,
803 : unsigned char *outbuf, size_t outbuflen,
804 : const unsigned char *inbuf, size_t inbuflen)
805 : {
806 0 : return do_ecb_crypt (c, outbuf, outbuflen, inbuf, inbuflen, c->spec->decrypt);
807 : }
808 :
809 :
810 : /****************
811 : * Encrypt INBUF to OUTBUF with the mode selected at open.
812 : * inbuf and outbuf may overlap or be the same.
813 : * Depending on the mode some constraints apply to INBUFLEN.
814 : */
815 : static gcry_err_code_t
816 0 : cipher_encrypt (gcry_cipher_hd_t c, byte *outbuf, size_t outbuflen,
817 : const byte *inbuf, size_t inbuflen)
818 : {
819 : gcry_err_code_t rc;
820 :
821 0 : if (c->mode != GCRY_CIPHER_MODE_NONE && !c->marks.key)
822 : {
823 0 : log_error ("cipher_encrypt: key not set\n");
824 0 : return GPG_ERR_MISSING_KEY;
825 : }
826 :
827 0 : switch (c->mode)
828 : {
829 : case GCRY_CIPHER_MODE_ECB:
830 0 : rc = do_ecb_encrypt (c, outbuf, outbuflen, inbuf, inbuflen);
831 0 : break;
832 :
833 : case GCRY_CIPHER_MODE_CBC:
834 0 : rc = _gcry_cipher_cbc_encrypt (c, outbuf, outbuflen, inbuf, inbuflen);
835 0 : break;
836 :
837 : case GCRY_CIPHER_MODE_CFB:
838 0 : rc = _gcry_cipher_cfb_encrypt (c, outbuf, outbuflen, inbuf, inbuflen);
839 0 : break;
840 :
841 : case GCRY_CIPHER_MODE_OFB:
842 0 : rc = _gcry_cipher_ofb_encrypt (c, outbuf, outbuflen, inbuf, inbuflen);
843 0 : break;
844 :
845 : case GCRY_CIPHER_MODE_CTR:
846 0 : rc = _gcry_cipher_ctr_encrypt (c, outbuf, outbuflen, inbuf, inbuflen);
847 0 : break;
848 :
849 : case GCRY_CIPHER_MODE_AESWRAP:
850 0 : rc = _gcry_cipher_aeswrap_encrypt (c, outbuf, outbuflen,
851 : inbuf, inbuflen);
852 0 : break;
853 :
854 : case GCRY_CIPHER_MODE_CCM:
855 0 : rc = _gcry_cipher_ccm_encrypt (c, outbuf, outbuflen, inbuf, inbuflen);
856 0 : break;
857 :
858 : case GCRY_CIPHER_MODE_CMAC:
859 0 : rc = GPG_ERR_INV_CIPHER_MODE;
860 0 : break;
861 :
862 : case GCRY_CIPHER_MODE_GCM:
863 0 : rc = _gcry_cipher_gcm_encrypt (c, outbuf, outbuflen, inbuf, inbuflen);
864 0 : break;
865 :
866 : case GCRY_CIPHER_MODE_POLY1305:
867 0 : rc = _gcry_cipher_poly1305_encrypt (c, outbuf, outbuflen,
868 : inbuf, inbuflen);
869 0 : break;
870 :
871 : case GCRY_CIPHER_MODE_OCB:
872 0 : rc = _gcry_cipher_ocb_encrypt (c, outbuf, outbuflen, inbuf, inbuflen);
873 0 : break;
874 :
875 : case GCRY_CIPHER_MODE_STREAM:
876 0 : c->spec->stencrypt (&c->context.c,
877 : outbuf, (byte*)/*arggg*/inbuf, inbuflen);
878 0 : rc = 0;
879 0 : break;
880 :
881 : case GCRY_CIPHER_MODE_NONE:
882 0 : if (fips_mode () || !_gcry_get_debug_flag (0))
883 : {
884 0 : fips_signal_error ("cipher mode NONE used");
885 0 : rc = GPG_ERR_INV_CIPHER_MODE;
886 : }
887 : else
888 : {
889 0 : if (inbuf != outbuf)
890 0 : memmove (outbuf, inbuf, inbuflen);
891 0 : rc = 0;
892 : }
893 0 : break;
894 :
895 : default:
896 0 : log_fatal ("cipher_encrypt: invalid mode %d\n", c->mode );
897 : rc = GPG_ERR_INV_CIPHER_MODE;
898 : break;
899 : }
900 :
901 0 : return rc;
902 : }
903 :
904 :
905 : /****************
906 : * Encrypt IN and write it to OUT. If IN is NULL, in-place encryption has
907 : * been requested.
908 : */
909 : gcry_err_code_t
910 0 : _gcry_cipher_encrypt (gcry_cipher_hd_t h, void *out, size_t outsize,
911 : const void *in, size_t inlen)
912 : {
913 : gcry_err_code_t rc;
914 :
915 0 : if (!in) /* Caller requested in-place encryption. */
916 : {
917 0 : in = out;
918 0 : inlen = outsize;
919 : }
920 :
921 0 : rc = cipher_encrypt (h, out, outsize, in, inlen);
922 :
923 : /* Failsafe: Make sure that the plaintext will never make it into
924 : OUT if the encryption returned an error. */
925 0 : if (rc && out)
926 0 : memset (out, 0x42, outsize);
927 :
928 0 : return rc;
929 : }
930 :
931 :
932 :
933 : /****************
934 : * Decrypt INBUF to OUTBUF with the mode selected at open.
935 : * inbuf and outbuf may overlap or be the same.
936 : * Depending on the mode some some contraints apply to INBUFLEN.
937 : */
938 : static gcry_err_code_t
939 0 : cipher_decrypt (gcry_cipher_hd_t c, byte *outbuf, size_t outbuflen,
940 : const byte *inbuf, size_t inbuflen)
941 : {
942 : gcry_err_code_t rc;
943 :
944 0 : if (c->mode != GCRY_CIPHER_MODE_NONE && !c->marks.key)
945 : {
946 0 : log_error ("cipher_decrypt: key not set\n");
947 0 : return GPG_ERR_MISSING_KEY;
948 : }
949 :
950 0 : switch (c->mode)
951 : {
952 : case GCRY_CIPHER_MODE_ECB:
953 0 : rc = do_ecb_decrypt (c, outbuf, outbuflen, inbuf, inbuflen);
954 0 : break;
955 :
956 : case GCRY_CIPHER_MODE_CBC:
957 0 : rc = _gcry_cipher_cbc_decrypt (c, outbuf, outbuflen, inbuf, inbuflen);
958 0 : break;
959 :
960 : case GCRY_CIPHER_MODE_CFB:
961 0 : rc = _gcry_cipher_cfb_decrypt (c, outbuf, outbuflen, inbuf, inbuflen);
962 0 : break;
963 :
964 : case GCRY_CIPHER_MODE_OFB:
965 0 : rc = _gcry_cipher_ofb_encrypt (c, outbuf, outbuflen, inbuf, inbuflen);
966 0 : break;
967 :
968 : case GCRY_CIPHER_MODE_CTR:
969 0 : rc = _gcry_cipher_ctr_encrypt (c, outbuf, outbuflen, inbuf, inbuflen);
970 0 : break;
971 :
972 : case GCRY_CIPHER_MODE_AESWRAP:
973 0 : rc = _gcry_cipher_aeswrap_decrypt (c, outbuf, outbuflen,
974 : inbuf, inbuflen);
975 0 : break;
976 :
977 : case GCRY_CIPHER_MODE_CCM:
978 0 : rc = _gcry_cipher_ccm_decrypt (c, outbuf, outbuflen, inbuf, inbuflen);
979 0 : break;
980 :
981 : case GCRY_CIPHER_MODE_CMAC:
982 0 : rc = GPG_ERR_INV_CIPHER_MODE;
983 0 : break;
984 :
985 : case GCRY_CIPHER_MODE_GCM:
986 0 : rc = _gcry_cipher_gcm_decrypt (c, outbuf, outbuflen, inbuf, inbuflen);
987 0 : break;
988 :
989 : case GCRY_CIPHER_MODE_POLY1305:
990 0 : rc = _gcry_cipher_poly1305_decrypt (c, outbuf, outbuflen,
991 : inbuf, inbuflen);
992 0 : break;
993 :
994 : case GCRY_CIPHER_MODE_OCB:
995 0 : rc = _gcry_cipher_ocb_decrypt (c, outbuf, outbuflen, inbuf, inbuflen);
996 0 : break;
997 :
998 : case GCRY_CIPHER_MODE_STREAM:
999 0 : c->spec->stdecrypt (&c->context.c,
1000 : outbuf, (byte*)/*arggg*/inbuf, inbuflen);
1001 0 : rc = 0;
1002 0 : break;
1003 :
1004 : case GCRY_CIPHER_MODE_NONE:
1005 0 : if (fips_mode () || !_gcry_get_debug_flag (0))
1006 : {
1007 0 : fips_signal_error ("cipher mode NONE used");
1008 0 : rc = GPG_ERR_INV_CIPHER_MODE;
1009 : }
1010 : else
1011 : {
1012 0 : if (inbuf != outbuf)
1013 0 : memmove (outbuf, inbuf, inbuflen);
1014 0 : rc = 0;
1015 : }
1016 0 : break;
1017 :
1018 : default:
1019 0 : log_fatal ("cipher_decrypt: invalid mode %d\n", c->mode );
1020 : rc = GPG_ERR_INV_CIPHER_MODE;
1021 : break;
1022 : }
1023 :
1024 0 : return rc;
1025 : }
1026 :
1027 :
1028 : gcry_err_code_t
1029 0 : _gcry_cipher_decrypt (gcry_cipher_hd_t h, void *out, size_t outsize,
1030 : const void *in, size_t inlen)
1031 : {
1032 0 : if (!in) /* Caller requested in-place encryption. */
1033 : {
1034 0 : in = out;
1035 0 : inlen = outsize;
1036 : }
1037 :
1038 0 : return cipher_decrypt (h, out, outsize, in, inlen);
1039 : }
1040 :
1041 :
1042 :
1043 : /****************
1044 : * Used for PGP's somewhat strange CFB mode. Only works if
1045 : * the corresponding flag is set.
1046 : */
1047 : static void
1048 0 : cipher_sync (gcry_cipher_hd_t c)
1049 : {
1050 0 : if ((c->flags & GCRY_CIPHER_ENABLE_SYNC) && c->unused)
1051 : {
1052 0 : memmove (c->u_iv.iv + c->unused,
1053 0 : c->u_iv.iv, c->spec->blocksize - c->unused);
1054 0 : memcpy (c->u_iv.iv,
1055 0 : c->lastiv + c->spec->blocksize - c->unused, c->unused);
1056 0 : c->unused = 0;
1057 : }
1058 0 : }
1059 :
1060 :
1061 : gcry_err_code_t
1062 0 : _gcry_cipher_setkey (gcry_cipher_hd_t hd, const void *key, size_t keylen)
1063 : {
1064 0 : return cipher_setkey (hd, (void*)key, keylen);
1065 : }
1066 :
1067 :
1068 : gcry_err_code_t
1069 0 : _gcry_cipher_setiv (gcry_cipher_hd_t hd, const void *iv, size_t ivlen)
1070 : {
1071 0 : gcry_err_code_t rc = 0;
1072 :
1073 0 : switch (hd->mode)
1074 : {
1075 : case GCRY_CIPHER_MODE_CCM:
1076 0 : rc = _gcry_cipher_ccm_set_nonce (hd, iv, ivlen);
1077 0 : break;
1078 :
1079 : case GCRY_CIPHER_MODE_GCM:
1080 0 : rc = _gcry_cipher_gcm_setiv (hd, iv, ivlen);
1081 0 : break;
1082 :
1083 : case GCRY_CIPHER_MODE_POLY1305:
1084 0 : rc = _gcry_cipher_poly1305_setiv (hd, iv, ivlen);
1085 0 : break;
1086 :
1087 : case GCRY_CIPHER_MODE_OCB:
1088 0 : rc = _gcry_cipher_ocb_set_nonce (hd, iv, ivlen);
1089 0 : break;
1090 :
1091 : default:
1092 0 : rc = cipher_setiv (hd, iv, ivlen);
1093 0 : break;
1094 : }
1095 0 : return rc;
1096 : }
1097 :
1098 : /* Set counter for CTR mode. (CTR,CTRLEN) must denote a buffer of
1099 : block size length, or (NULL,0) to set the CTR to the all-zero
1100 : block. */
1101 : gpg_err_code_t
1102 0 : _gcry_cipher_setctr (gcry_cipher_hd_t hd, const void *ctr, size_t ctrlen)
1103 : {
1104 0 : if (ctr && ctrlen == hd->spec->blocksize)
1105 : {
1106 0 : memcpy (hd->u_ctr.ctr, ctr, hd->spec->blocksize);
1107 0 : hd->unused = 0;
1108 : }
1109 0 : else if (!ctr || !ctrlen)
1110 : {
1111 0 : memset (hd->u_ctr.ctr, 0, hd->spec->blocksize);
1112 0 : hd->unused = 0;
1113 : }
1114 : else
1115 0 : return GPG_ERR_INV_ARG;
1116 :
1117 0 : return 0;
1118 : }
1119 :
1120 : gpg_err_code_t
1121 0 : _gcry_cipher_getctr (gcry_cipher_hd_t hd, void *ctr, size_t ctrlen)
1122 : {
1123 0 : if (ctr && ctrlen == hd->spec->blocksize)
1124 0 : memcpy (ctr, hd->u_ctr.ctr, hd->spec->blocksize);
1125 : else
1126 0 : return GPG_ERR_INV_ARG;
1127 :
1128 0 : return 0;
1129 : }
1130 :
1131 : gcry_err_code_t
1132 0 : _gcry_cipher_authenticate (gcry_cipher_hd_t hd, const void *abuf,
1133 : size_t abuflen)
1134 : {
1135 : gcry_err_code_t rc;
1136 :
1137 0 : switch (hd->mode)
1138 : {
1139 : case GCRY_CIPHER_MODE_CCM:
1140 0 : rc = _gcry_cipher_ccm_authenticate (hd, abuf, abuflen);
1141 0 : break;
1142 :
1143 : case GCRY_CIPHER_MODE_CMAC:
1144 0 : rc = _gcry_cipher_cmac_authenticate (hd, abuf, abuflen);
1145 0 : break;
1146 :
1147 : case GCRY_CIPHER_MODE_GCM:
1148 0 : rc = _gcry_cipher_gcm_authenticate (hd, abuf, abuflen);
1149 0 : break;
1150 :
1151 : case GCRY_CIPHER_MODE_POLY1305:
1152 0 : rc = _gcry_cipher_poly1305_authenticate (hd, abuf, abuflen);
1153 0 : break;
1154 :
1155 : case GCRY_CIPHER_MODE_OCB:
1156 0 : rc = _gcry_cipher_ocb_authenticate (hd, abuf, abuflen);
1157 0 : break;
1158 :
1159 : default:
1160 0 : log_error ("gcry_cipher_authenticate: invalid mode %d\n", hd->mode);
1161 0 : rc = GPG_ERR_INV_CIPHER_MODE;
1162 0 : break;
1163 : }
1164 :
1165 0 : return rc;
1166 : }
1167 :
1168 :
1169 : gcry_err_code_t
1170 0 : _gcry_cipher_gettag (gcry_cipher_hd_t hd, void *outtag, size_t taglen)
1171 : {
1172 : gcry_err_code_t rc;
1173 :
1174 0 : switch (hd->mode)
1175 : {
1176 : case GCRY_CIPHER_MODE_CCM:
1177 0 : rc = _gcry_cipher_ccm_get_tag (hd, outtag, taglen);
1178 0 : break;
1179 :
1180 : case GCRY_CIPHER_MODE_CMAC:
1181 0 : rc = _gcry_cipher_cmac_get_tag (hd, outtag, taglen);
1182 0 : break;
1183 :
1184 : case GCRY_CIPHER_MODE_GCM:
1185 0 : rc = _gcry_cipher_gcm_get_tag (hd, outtag, taglen);
1186 0 : break;
1187 :
1188 : case GCRY_CIPHER_MODE_POLY1305:
1189 0 : rc = _gcry_cipher_poly1305_get_tag (hd, outtag, taglen);
1190 0 : break;
1191 :
1192 : case GCRY_CIPHER_MODE_OCB:
1193 0 : rc = _gcry_cipher_ocb_get_tag (hd, outtag, taglen);
1194 0 : break;
1195 :
1196 : default:
1197 0 : log_error ("gcry_cipher_gettag: invalid mode %d\n", hd->mode);
1198 0 : rc = GPG_ERR_INV_CIPHER_MODE;
1199 0 : break;
1200 : }
1201 :
1202 0 : return rc;
1203 : }
1204 :
1205 :
1206 : gcry_err_code_t
1207 0 : _gcry_cipher_checktag (gcry_cipher_hd_t hd, const void *intag, size_t taglen)
1208 : {
1209 : gcry_err_code_t rc;
1210 :
1211 0 : switch (hd->mode)
1212 : {
1213 : case GCRY_CIPHER_MODE_CCM:
1214 0 : rc = _gcry_cipher_ccm_check_tag (hd, intag, taglen);
1215 0 : break;
1216 :
1217 : case GCRY_CIPHER_MODE_CMAC:
1218 0 : rc = _gcry_cipher_cmac_check_tag (hd, intag, taglen);
1219 0 : break;
1220 :
1221 : case GCRY_CIPHER_MODE_GCM:
1222 0 : rc = _gcry_cipher_gcm_check_tag (hd, intag, taglen);
1223 0 : break;
1224 :
1225 : case GCRY_CIPHER_MODE_POLY1305:
1226 0 : rc = _gcry_cipher_poly1305_check_tag (hd, intag, taglen);
1227 0 : break;
1228 :
1229 : case GCRY_CIPHER_MODE_OCB:
1230 0 : rc = _gcry_cipher_ocb_check_tag (hd, intag, taglen);
1231 0 : break;
1232 :
1233 : default:
1234 0 : log_error ("gcry_cipher_checktag: invalid mode %d\n", hd->mode);
1235 0 : rc = GPG_ERR_INV_CIPHER_MODE;
1236 0 : break;
1237 : }
1238 :
1239 0 : return rc;
1240 : }
1241 :
1242 :
1243 : gcry_err_code_t
1244 0 : _gcry_cipher_ctl (gcry_cipher_hd_t h, int cmd, void *buffer, size_t buflen)
1245 : {
1246 0 : gcry_err_code_t rc = 0;
1247 :
1248 0 : switch (cmd)
1249 : {
1250 : case GCRYCTL_RESET:
1251 0 : cipher_reset (h);
1252 0 : break;
1253 :
1254 : case GCRYCTL_FINALIZE:
1255 0 : if (!h || buffer || buflen)
1256 0 : return GPG_ERR_INV_ARG;
1257 0 : h->marks.finalize = 1;
1258 0 : break;
1259 :
1260 : case GCRYCTL_CFB_SYNC:
1261 0 : cipher_sync( h );
1262 0 : break;
1263 :
1264 : case GCRYCTL_SET_CBC_CTS:
1265 0 : if (buflen)
1266 0 : if (h->flags & GCRY_CIPHER_CBC_MAC)
1267 0 : rc = GPG_ERR_INV_FLAG;
1268 : else
1269 0 : h->flags |= GCRY_CIPHER_CBC_CTS;
1270 : else
1271 0 : h->flags &= ~GCRY_CIPHER_CBC_CTS;
1272 0 : break;
1273 :
1274 : case GCRYCTL_SET_CBC_MAC:
1275 0 : if (buflen)
1276 0 : if (h->flags & GCRY_CIPHER_CBC_CTS)
1277 0 : rc = GPG_ERR_INV_FLAG;
1278 : else
1279 0 : h->flags |= GCRY_CIPHER_CBC_MAC;
1280 : else
1281 0 : h->flags &= ~GCRY_CIPHER_CBC_MAC;
1282 0 : break;
1283 :
1284 : case GCRYCTL_SET_CCM_LENGTHS:
1285 : {
1286 : u64 params[3];
1287 : size_t encryptedlen;
1288 : size_t aadlen;
1289 : size_t authtaglen;
1290 :
1291 0 : if (h->mode != GCRY_CIPHER_MODE_CCM)
1292 0 : return GPG_ERR_INV_CIPHER_MODE;
1293 :
1294 0 : if (!buffer || buflen != 3 * sizeof(u64))
1295 0 : return GPG_ERR_INV_ARG;
1296 :
1297 : /* This command is used to pass additional length parameters needed
1298 : by CCM mode to initialize CBC-MAC. */
1299 0 : memcpy (params, buffer, sizeof(params));
1300 0 : encryptedlen = params[0];
1301 0 : aadlen = params[1];
1302 0 : authtaglen = params[2];
1303 :
1304 0 : rc = _gcry_cipher_ccm_set_lengths (h, encryptedlen, aadlen, authtaglen);
1305 : }
1306 0 : break;
1307 :
1308 : case GCRYCTL_SET_TAGLEN:
1309 0 : if (!h || !buffer || buflen != sizeof(int) )
1310 0 : return GPG_ERR_INV_ARG;
1311 0 : switch (h->mode)
1312 : {
1313 : case GCRY_CIPHER_MODE_OCB:
1314 0 : switch (*(int*)buffer)
1315 : {
1316 : case 8: case 12: case 16:
1317 0 : h->u_mode.ocb.taglen = *(int*)buffer;
1318 0 : break;
1319 : default:
1320 0 : rc = GPG_ERR_INV_LENGTH; /* Invalid tag length. */
1321 0 : break;
1322 : }
1323 0 : break;
1324 :
1325 : default:
1326 0 : rc =GPG_ERR_INV_CIPHER_MODE;
1327 0 : break;
1328 : }
1329 0 : break;
1330 :
1331 : case GCRYCTL_DISABLE_ALGO:
1332 : /* This command expects NULL for H and BUFFER to point to an
1333 : integer with the algo number. */
1334 0 : if( h || !buffer || buflen != sizeof(int) )
1335 0 : return GPG_ERR_CIPHER_ALGO;
1336 0 : disable_cipher_algo( *(int*)buffer );
1337 0 : break;
1338 :
1339 : case PRIV_CIPHERCTL_DISABLE_WEAK_KEY: /* (private) */
1340 0 : if (h->spec->set_extra_info)
1341 0 : rc = h->spec->set_extra_info
1342 0 : (&h->context.c, CIPHER_INFO_NO_WEAK_KEY, NULL, 0);
1343 : else
1344 0 : rc = GPG_ERR_NOT_SUPPORTED;
1345 0 : break;
1346 :
1347 : case PRIV_CIPHERCTL_GET_INPUT_VECTOR: /* (private) */
1348 : /* This is the input block as used in CFB and OFB mode which has
1349 : initially been set as IV. The returned format is:
1350 : 1 byte Actual length of the block in bytes.
1351 : n byte The block.
1352 : If the provided buffer is too short, an error is returned. */
1353 0 : if (buflen < (1 + h->spec->blocksize))
1354 0 : rc = GPG_ERR_TOO_SHORT;
1355 : else
1356 : {
1357 : unsigned char *ivp;
1358 0 : unsigned char *dst = buffer;
1359 0 : int n = h->unused;
1360 :
1361 0 : if (!n)
1362 0 : n = h->spec->blocksize;
1363 0 : gcry_assert (n <= h->spec->blocksize);
1364 0 : *dst++ = n;
1365 0 : ivp = h->u_iv.iv + h->spec->blocksize - n;
1366 0 : while (n--)
1367 0 : *dst++ = *ivp++;
1368 : }
1369 0 : break;
1370 :
1371 : case GCRYCTL_SET_SBOX:
1372 0 : if (h->spec->set_extra_info)
1373 0 : rc = h->spec->set_extra_info
1374 0 : (&h->context.c, GCRYCTL_SET_SBOX, buffer, buflen);
1375 : else
1376 0 : rc = GPG_ERR_NOT_SUPPORTED;
1377 0 : break;
1378 :
1379 : default:
1380 0 : rc = GPG_ERR_INV_OP;
1381 : }
1382 :
1383 0 : return rc;
1384 : }
1385 :
1386 :
1387 : /* Return information about the cipher handle H. CMD is the kind of
1388 : * information requested.
1389 : *
1390 : * CMD may be one of:
1391 : *
1392 : * GCRYCTL_GET_TAGLEN:
1393 : * Return the length of the tag for an AE algorithm mode. An
1394 : * error is returned for modes which do not support a tag.
1395 : * BUFFER must be given as NULL. On success the result is stored
1396 : * at NBYTES. The taglen is returned in bytes.
1397 : *
1398 : * The function returns 0 on success or an error code.
1399 : */
1400 : gcry_err_code_t
1401 0 : _gcry_cipher_info (gcry_cipher_hd_t h, int cmd, void *buffer, size_t *nbytes)
1402 : {
1403 0 : gcry_err_code_t rc = 0;
1404 :
1405 0 : switch (cmd)
1406 : {
1407 : case GCRYCTL_GET_TAGLEN:
1408 0 : if (!h || buffer || !nbytes)
1409 0 : rc = GPG_ERR_INV_ARG;
1410 : else
1411 : {
1412 0 : switch (h->mode)
1413 : {
1414 : case GCRY_CIPHER_MODE_OCB:
1415 0 : *nbytes = h->u_mode.ocb.taglen;
1416 0 : break;
1417 :
1418 : case GCRY_CIPHER_MODE_CCM:
1419 0 : *nbytes = h->u_mode.ccm.authlen;
1420 0 : break;
1421 :
1422 : case GCRY_CIPHER_MODE_GCM:
1423 0 : *nbytes = GCRY_GCM_BLOCK_LEN;
1424 0 : break;
1425 :
1426 : case GCRY_CIPHER_MODE_POLY1305:
1427 0 : *nbytes = POLY1305_TAGLEN;
1428 0 : break;
1429 :
1430 : default:
1431 0 : rc = GPG_ERR_INV_CIPHER_MODE;
1432 0 : break;
1433 : }
1434 : }
1435 0 : break;
1436 :
1437 : default:
1438 0 : rc = GPG_ERR_INV_OP;
1439 : }
1440 :
1441 0 : return rc;
1442 : }
1443 :
1444 : /* Return information about the given cipher algorithm ALGO.
1445 :
1446 : WHAT select the kind of information returned:
1447 :
1448 : GCRYCTL_GET_KEYLEN:
1449 : Return the length of the key. If the algorithm ALGO
1450 : supports multiple key lengths, the maximum supported key length
1451 : is returned. The key length is returned as number of octets.
1452 : BUFFER and NBYTES must be zero.
1453 :
1454 : GCRYCTL_GET_BLKLEN:
1455 : Return the blocklength of the algorithm ALGO counted in octets.
1456 : BUFFER and NBYTES must be zero.
1457 :
1458 : GCRYCTL_TEST_ALGO:
1459 : Returns 0 if the specified algorithm ALGO is available for use.
1460 : BUFFER and NBYTES must be zero.
1461 :
1462 : Note: Because this function is in most cases used to return an
1463 : integer value, we can make it easier for the caller to just look at
1464 : the return value. The caller will in all cases consult the value
1465 : and thereby detecting whether a error occurred or not (i.e. while
1466 : checking the block size)
1467 : */
1468 : gcry_err_code_t
1469 0 : _gcry_cipher_algo_info (int algo, int what, void *buffer, size_t *nbytes)
1470 : {
1471 0 : gcry_err_code_t rc = 0;
1472 : unsigned int ui;
1473 :
1474 0 : switch (what)
1475 : {
1476 : case GCRYCTL_GET_KEYLEN:
1477 0 : if (buffer || (! nbytes))
1478 0 : rc = GPG_ERR_CIPHER_ALGO;
1479 : else
1480 : {
1481 0 : ui = cipher_get_keylen (algo);
1482 0 : if ((ui > 0) && (ui <= 512))
1483 0 : *nbytes = (size_t) ui / 8;
1484 : else
1485 : /* The only reason for an error is an invalid algo. */
1486 0 : rc = GPG_ERR_CIPHER_ALGO;
1487 : }
1488 0 : break;
1489 :
1490 : case GCRYCTL_GET_BLKLEN:
1491 0 : if (buffer || (! nbytes))
1492 0 : rc = GPG_ERR_CIPHER_ALGO;
1493 : else
1494 : {
1495 0 : ui = cipher_get_blocksize (algo);
1496 0 : if ((ui > 0) && (ui < 10000))
1497 0 : *nbytes = ui;
1498 : else
1499 : {
1500 : /* The only reason is an invalid algo or a strange
1501 : blocksize. */
1502 0 : rc = GPG_ERR_CIPHER_ALGO;
1503 : }
1504 : }
1505 0 : break;
1506 :
1507 : case GCRYCTL_TEST_ALGO:
1508 0 : if (buffer || nbytes)
1509 0 : rc = GPG_ERR_INV_ARG;
1510 : else
1511 0 : rc = check_cipher_algo (algo);
1512 0 : break;
1513 :
1514 : default:
1515 0 : rc = GPG_ERR_INV_OP;
1516 : }
1517 :
1518 0 : return rc;
1519 : }
1520 :
1521 :
1522 : /* This function returns length of the key for algorithm ALGO. If the
1523 : algorithm supports multiple key lengths, the maximum supported key
1524 : length is returned. On error 0 is returned. The key length is
1525 : returned as number of octets.
1526 :
1527 : This is a convenience functions which should be preferred over
1528 : gcry_cipher_algo_info because it allows for proper type
1529 : checking. */
1530 : size_t
1531 0 : _gcry_cipher_get_algo_keylen (int algo)
1532 : {
1533 : size_t n;
1534 :
1535 0 : if (_gcry_cipher_algo_info (algo, GCRYCTL_GET_KEYLEN, NULL, &n))
1536 0 : n = 0;
1537 0 : return n;
1538 : }
1539 :
1540 :
1541 : /* This functions returns the blocklength of the algorithm ALGO
1542 : counted in octets. On error 0 is returned.
1543 :
1544 : This is a convenience functions which should be preferred over
1545 : gcry_cipher_algo_info because it allows for proper type
1546 : checking. */
1547 : size_t
1548 0 : _gcry_cipher_get_algo_blklen (int algo)
1549 : {
1550 : size_t n;
1551 :
1552 0 : if (_gcry_cipher_algo_info( algo, GCRYCTL_GET_BLKLEN, NULL, &n))
1553 0 : n = 0;
1554 0 : return n;
1555 : }
1556 :
1557 :
1558 : /* Explicitly initialize this module. */
1559 : gcry_err_code_t
1560 0 : _gcry_cipher_init (void)
1561 : {
1562 0 : if (fips_mode())
1563 : {
1564 : /* disable algorithms that are disallowed in fips */
1565 : int idx;
1566 : gcry_cipher_spec_t *spec;
1567 :
1568 0 : for (idx = 0; (spec = cipher_list[idx]); idx++)
1569 0 : if (!spec->flags.fips)
1570 0 : spec->flags.disabled = 1;
1571 : }
1572 :
1573 0 : return 0;
1574 : }
1575 :
1576 :
1577 : /* Run the selftests for cipher algorithm ALGO with optional reporting
1578 : function REPORT. */
1579 : gpg_error_t
1580 0 : _gcry_cipher_selftest (int algo, int extended, selftest_report_func_t report)
1581 : {
1582 0 : gcry_err_code_t ec = 0;
1583 : gcry_cipher_spec_t *spec;
1584 :
1585 0 : spec = spec_from_algo (algo);
1586 0 : if (spec && !spec->flags.disabled && spec->selftest)
1587 0 : ec = spec->selftest (algo, extended, report);
1588 : else
1589 : {
1590 0 : ec = GPG_ERR_CIPHER_ALGO;
1591 0 : if (report)
1592 0 : report ("cipher", algo, "module",
1593 0 : (spec && !spec->flags.disabled)?
1594 : "no selftest available" :
1595 0 : spec? "algorithm disabled" : "algorithm not found");
1596 : }
1597 :
1598 0 : return gpg_error (ec);
1599 : }
|
