Line data Source code
1 : /* cipher.c - cipher dispatcher
2 : * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003
3 : * 2005, 2007, 2008, 2009, 2011 Free Software Foundation, Inc.
4 : * Copyright (C) 2013 g10 Code GmbH
5 : *
6 : * This file is part of Libgcrypt.
7 : *
8 : * Libgcrypt is free software; you can redistribute it and/or modify
9 : * it under the terms of the GNU Lesser general Public License as
10 : * published by the Free Software Foundation; either version 2.1 of
11 : * the License, or (at your option) any later version.
12 : *
13 : * Libgcrypt is distributed in the hope that it will be useful,
14 : * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 : * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 : * GNU Lesser General Public License for more details.
17 : *
18 : * You should have received a copy of the GNU Lesser General Public
19 : * License along with this program; if not, see <http://www.gnu.org/licenses/>.
20 : */
21 :
22 : #include <config.h>
23 : #include <stdio.h>
24 : #include <stdlib.h>
25 : #include <string.h>
26 : #include <errno.h>
27 :
28 : #include "g10lib.h"
29 : #include "../src/gcrypt-testapi.h"
30 : #include "cipher.h"
31 : #include "./cipher-internal.h"
32 :
33 :
34 : /* This is the list of the default ciphers, which are included in
35 : libgcrypt. */
36 : static gcry_cipher_spec_t *cipher_list[] =
37 : {
38 : #if USE_BLOWFISH
39 : &_gcry_cipher_spec_blowfish,
40 : #endif
41 : #if USE_DES
42 : &_gcry_cipher_spec_des,
43 : &_gcry_cipher_spec_tripledes,
44 : #endif
45 : #if USE_ARCFOUR
46 : &_gcry_cipher_spec_arcfour,
47 : #endif
48 : #if USE_CAST5
49 : &_gcry_cipher_spec_cast5,
50 : #endif
51 : #if USE_AES
52 : &_gcry_cipher_spec_aes,
53 : &_gcry_cipher_spec_aes192,
54 : &_gcry_cipher_spec_aes256,
55 : #endif
56 : #if USE_TWOFISH
57 : &_gcry_cipher_spec_twofish,
58 : &_gcry_cipher_spec_twofish128,
59 : #endif
60 : #if USE_SERPENT
61 : &_gcry_cipher_spec_serpent128,
62 : &_gcry_cipher_spec_serpent192,
63 : &_gcry_cipher_spec_serpent256,
64 : #endif
65 : #if USE_RFC2268
66 : &_gcry_cipher_spec_rfc2268_40,
67 : &_gcry_cipher_spec_rfc2268_128,
68 : #endif
69 : #if USE_SEED
70 : &_gcry_cipher_spec_seed,
71 : #endif
72 : #if USE_CAMELLIA
73 : &_gcry_cipher_spec_camellia128,
74 : &_gcry_cipher_spec_camellia192,
75 : &_gcry_cipher_spec_camellia256,
76 : #endif
77 : #ifdef USE_IDEA
78 : &_gcry_cipher_spec_idea,
79 : #endif
80 : #if USE_SALSA20
81 : &_gcry_cipher_spec_salsa20,
82 : &_gcry_cipher_spec_salsa20r12,
83 : #endif
84 : #if USE_GOST28147
85 : &_gcry_cipher_spec_gost28147,
86 : #endif
87 : #if USE_CHACHA20
88 : &_gcry_cipher_spec_chacha20,
89 : #endif
90 : NULL
91 : };
92 :
93 :
94 :
95 : �
96 : static int
97 25519 : map_algo (int algo)
98 : {
99 25519 : return algo;
100 : }
101 :
102 :
103 : /* Return the spec structure for the cipher algorithm ALGO. For
104 : an unknown algorithm NULL is returned. */
105 : static gcry_cipher_spec_t *
106 25519 : spec_from_algo (int algo)
107 : {
108 : int idx;
109 : gcry_cipher_spec_t *spec;
110 :
111 25519 : algo = map_algo (algo);
112 :
113 303936 : for (idx = 0; (spec = cipher_list[idx]); idx++)
114 303186 : if (algo == spec->algo)
115 24769 : return spec;
116 750 : return NULL;
117 : }
118 :
119 :
120 : /* Lookup a cipher's spec by its name. */
121 : static gcry_cipher_spec_t *
122 24 : spec_from_name (const char *name)
123 : {
124 : gcry_cipher_spec_t *spec;
125 : int idx;
126 : const char **aliases;
127 :
128 300 : for (idx=0; (spec = cipher_list[idx]); idx++)
129 : {
130 300 : if (!stricmp (name, spec->name))
131 24 : return spec;
132 276 : if (spec->aliases)
133 : {
134 256 : for (aliases = spec->aliases; *aliases; aliases++)
135 169 : if (!stricmp (name, *aliases))
136 0 : return spec;
137 : }
138 : }
139 :
140 0 : return NULL;
141 : }
142 :
143 :
144 : /* Lookup a cipher's spec by its OID. */
145 : static gcry_cipher_spec_t *
146 24 : spec_from_oid (const char *oid)
147 : {
148 : gcry_cipher_spec_t *spec;
149 : gcry_cipher_oid_spec_t *oid_specs;
150 : int idx, j;
151 :
152 600 : for (idx=0; (spec = cipher_list[idx]); idx++)
153 : {
154 576 : oid_specs = spec->oids;
155 576 : if (oid_specs)
156 : {
157 1512 : for (j = 0; oid_specs[j].oid; j++)
158 1176 : if (!stricmp (oid, oid_specs[j].oid))
159 0 : return spec;
160 : }
161 : }
162 :
163 24 : return NULL;
164 : }
165 :
166 :
167 : /* Locate the OID in the oid table and return the spec or NULL if not
168 : found. An optional "oid." or "OID." prefix in OID is ignored, the
169 : OID is expected to be in standard IETF dotted notation. A pointer
170 : to the OID specification of the module implementing this algorithm
171 : is return in OID_SPEC unless passed as NULL.*/
172 : static gcry_cipher_spec_t *
173 24 : search_oid (const char *oid, gcry_cipher_oid_spec_t *oid_spec)
174 : {
175 : gcry_cipher_spec_t *spec;
176 : int i;
177 :
178 24 : if (!oid)
179 0 : return NULL;
180 :
181 24 : if (!strncmp (oid, "oid.", 4) || !strncmp (oid, "OID.", 4))
182 0 : oid += 4;
183 :
184 24 : spec = spec_from_oid (oid);
185 24 : if (spec && spec->oids)
186 : {
187 0 : for (i = 0; spec->oids[i].oid; i++)
188 0 : if (!stricmp (oid, spec->oids[i].oid))
189 : {
190 0 : if (oid_spec)
191 0 : *oid_spec = spec->oids[i];
192 0 : return spec;
193 : }
194 : }
195 :
196 24 : return NULL;
197 : }
198 :
199 :
200 : /* Map STRING to the cipher algorithm identifier. Returns the
201 : algorithm ID of the cipher for the given name or 0 if the name is
202 : not known. It is valid to pass NULL for STRING which results in a
203 : return value of 0. */
204 : int
205 24 : _gcry_cipher_map_name (const char *string)
206 : {
207 : gcry_cipher_spec_t *spec;
208 :
209 24 : if (!string)
210 0 : return 0;
211 :
212 : /* If the string starts with a digit (optionally prefixed with
213 : either "OID." or "oid."), we first look into our table of ASN.1
214 : object identifiers to figure out the algorithm */
215 :
216 24 : spec = search_oid (string, NULL);
217 24 : if (spec)
218 0 : return spec->algo;
219 :
220 24 : spec = spec_from_name (string);
221 24 : if (spec)
222 24 : return spec->algo;
223 :
224 0 : return 0;
225 : }
226 :
227 :
228 : /* Given a STRING with an OID in dotted decimal notation, this
229 : function returns the cipher mode (GCRY_CIPHER_MODE_*) associated
230 : with that OID or 0 if no mode is known. Passing NULL for string
231 : yields a return value of 0. */
232 : int
233 0 : _gcry_cipher_mode_from_oid (const char *string)
234 : {
235 : gcry_cipher_spec_t *spec;
236 : gcry_cipher_oid_spec_t oid_spec;
237 :
238 0 : if (!string)
239 0 : return 0;
240 :
241 0 : spec = search_oid (string, &oid_spec);
242 0 : if (spec)
243 0 : return oid_spec.mode;
244 :
245 0 : return 0;
246 : }
247 :
248 :
249 : /* Map the cipher algorithm identifier ALGORITHM to a string
250 : representing this algorithm. This string is the default name as
251 : used by Libgcrypt. A "?" is returned for an unknown algorithm.
252 : NULL is never returned. */
253 : const char *
254 72 : _gcry_cipher_algo_name (int algorithm)
255 : {
256 : gcry_cipher_spec_t *spec;
257 :
258 72 : spec = spec_from_algo (algorithm);
259 72 : return spec? spec->name : "?";
260 : }
261 :
262 :
263 : /* Flag the cipher algorithm with the identifier ALGORITHM as
264 : disabled. There is no error return, the function does nothing for
265 : unknown algorithms. Disabled algorithms are virtually not
266 : available in Libgcrypt. This is not thread safe and should thus be
267 : called early. */
268 : static void
269 0 : disable_cipher_algo (int algo)
270 : {
271 0 : gcry_cipher_spec_t *spec = spec_from_algo (algo);
272 :
273 0 : if (spec)
274 0 : spec->flags.disabled = 1;
275 0 : }
276 :
277 :
278 : /* Return 0 if the cipher algorithm with identifier ALGORITHM is
279 : available. Returns a basic error code value if it is not
280 : available. */
281 : static gcry_err_code_t
282 1182 : check_cipher_algo (int algorithm)
283 : {
284 : gcry_cipher_spec_t *spec;
285 :
286 1182 : spec = spec_from_algo (algorithm);
287 1182 : if (spec && !spec->flags.disabled)
288 432 : return 0;
289 :
290 750 : return GPG_ERR_CIPHER_ALGO;
291 : }
292 :
293 :
294 : /* Return the standard length in bits of the key for the cipher
295 : algorithm with the identifier ALGORITHM. */
296 : static unsigned int
297 7257 : cipher_get_keylen (int algorithm)
298 : {
299 : gcry_cipher_spec_t *spec;
300 7257 : unsigned len = 0;
301 :
302 7257 : spec = spec_from_algo (algorithm);
303 7257 : if (spec)
304 : {
305 7257 : len = spec->keylen;
306 7257 : if (!len)
307 0 : log_bug ("cipher %d w/o key length\n", algorithm);
308 : }
309 :
310 7257 : return len;
311 : }
312 :
313 :
314 : /* Return the block length of the cipher algorithm with the identifier
315 : ALGORITHM. This function return 0 for an invalid algorithm. */
316 : static unsigned int
317 7745 : cipher_get_blocksize (int algorithm)
318 : {
319 : gcry_cipher_spec_t *spec;
320 7745 : unsigned len = 0;
321 :
322 7745 : spec = spec_from_algo (algorithm);
323 7745 : if (spec)
324 : {
325 7745 : len = spec->blocksize;
326 7745 : if (!len)
327 0 : log_bug ("cipher %d w/o blocksize\n", algorithm);
328 : }
329 :
330 7745 : return len;
331 : }
332 :
333 :
334 : /*
335 : Open a cipher handle for use with cipher algorithm ALGORITHM, using
336 : the cipher mode MODE (one of the GCRY_CIPHER_MODE_*) and return a
337 : handle in HANDLE. Put NULL into HANDLE and return an error code if
338 : something goes wrong. FLAGS may be used to modify the
339 : operation. The defined flags are:
340 :
341 : GCRY_CIPHER_SECURE: allocate all internal buffers in secure memory.
342 : GCRY_CIPHER_ENABLE_SYNC: Enable the sync operation as used in OpenPGP.
343 : GCRY_CIPHER_CBC_CTS: Enable CTS mode.
344 : GCRY_CIPHER_CBC_MAC: Enable MAC mode.
345 :
346 : Values for these flags may be combined using OR.
347 : */
348 : gcry_err_code_t
349 9075 : _gcry_cipher_open (gcry_cipher_hd_t *handle,
350 : int algo, int mode, unsigned int flags)
351 : {
352 : gcry_err_code_t rc;
353 9075 : gcry_cipher_hd_t h = NULL;
354 :
355 9075 : if (mode >= GCRY_CIPHER_MODE_INTERNAL)
356 0 : rc = GPG_ERR_INV_CIPHER_MODE;
357 : else
358 9075 : rc = _gcry_cipher_open_internal (&h, algo, mode, flags);
359 :
360 9075 : *handle = rc ? NULL : h;
361 :
362 9075 : return rc;
363 : }
364 :
365 :
366 : gcry_err_code_t
367 9255 : _gcry_cipher_open_internal (gcry_cipher_hd_t *handle,
368 : int algo, int mode, unsigned int flags)
369 : {
370 9255 : int secure = (flags & GCRY_CIPHER_SECURE);
371 : gcry_cipher_spec_t *spec;
372 9255 : gcry_cipher_hd_t h = NULL;
373 : gcry_err_code_t err;
374 :
375 : /* If the application missed to call the random poll function, we do
376 : it here to ensure that it is used once in a while. */
377 9255 : _gcry_fast_random_poll ();
378 :
379 9255 : spec = spec_from_algo (algo);
380 9255 : if (!spec)
381 0 : err = GPG_ERR_CIPHER_ALGO;
382 9255 : else if (spec->flags.disabled)
383 0 : err = GPG_ERR_CIPHER_ALGO;
384 : else
385 9255 : err = 0;
386 :
387 : /* check flags */
388 9255 : if ((! err)
389 9255 : && ((flags & ~(0
390 : | GCRY_CIPHER_SECURE
391 : | GCRY_CIPHER_ENABLE_SYNC
392 : | GCRY_CIPHER_CBC_CTS
393 : | GCRY_CIPHER_CBC_MAC))
394 : || (flags & GCRY_CIPHER_CBC_CTS & GCRY_CIPHER_CBC_MAC)))
395 0 : err = GPG_ERR_CIPHER_ALGO;
396 :
397 : /* check that a valid mode has been requested */
398 9255 : if (! err)
399 9255 : switch (mode)
400 : {
401 : case GCRY_CIPHER_MODE_CCM:
402 1790 : if (spec->blocksize != GCRY_CCM_BLOCK_LEN)
403 0 : err = GPG_ERR_INV_CIPHER_MODE;
404 1790 : if (!spec->encrypt || !spec->decrypt)
405 0 : err = GPG_ERR_INV_CIPHER_MODE;
406 1790 : break;
407 :
408 : case GCRY_CIPHER_MODE_XTS:
409 552 : if (spec->blocksize != GCRY_XTS_BLOCK_LEN)
410 0 : err = GPG_ERR_INV_CIPHER_MODE;
411 552 : if (!spec->encrypt || !spec->decrypt)
412 0 : err = GPG_ERR_INV_CIPHER_MODE;
413 552 : break;
414 :
415 : case GCRY_CIPHER_MODE_ECB:
416 : case GCRY_CIPHER_MODE_CBC:
417 : case GCRY_CIPHER_MODE_CFB:
418 : case GCRY_CIPHER_MODE_CFB8:
419 : case GCRY_CIPHER_MODE_OFB:
420 : case GCRY_CIPHER_MODE_CTR:
421 : case GCRY_CIPHER_MODE_AESWRAP:
422 : case GCRY_CIPHER_MODE_CMAC:
423 : case GCRY_CIPHER_MODE_GCM:
424 5746 : if (!spec->encrypt || !spec->decrypt)
425 0 : err = GPG_ERR_INV_CIPHER_MODE;
426 5746 : break;
427 :
428 : case GCRY_CIPHER_MODE_POLY1305:
429 67 : if (!spec->stencrypt || !spec->stdecrypt || !spec->setiv)
430 0 : err = GPG_ERR_INV_CIPHER_MODE;
431 67 : else if (spec->algo != GCRY_CIPHER_CHACHA20)
432 0 : err = GPG_ERR_INV_CIPHER_MODE;
433 67 : break;
434 :
435 : case GCRY_CIPHER_MODE_OCB:
436 : /* Note that our implementation allows only for 128 bit block
437 : length algorithms. Lower block lengths would be possible
438 : but we do not implement them because they limit the
439 : security too much. */
440 852 : if (!spec->encrypt || !spec->decrypt)
441 0 : err = GPG_ERR_INV_CIPHER_MODE;
442 852 : else if (spec->blocksize != (128/8))
443 0 : err = GPG_ERR_INV_CIPHER_MODE;
444 852 : break;
445 :
446 : case GCRY_CIPHER_MODE_STREAM:
447 248 : if (!spec->stencrypt || !spec->stdecrypt)
448 0 : err = GPG_ERR_INV_CIPHER_MODE;
449 248 : break;
450 :
451 : case GCRY_CIPHER_MODE_NONE:
452 : /* This mode may be used for debugging. It copies the main
453 : text verbatim to the ciphertext. We do not allow this in
454 : fips mode or if no debug flag has been set. */
455 0 : if (fips_mode () || !_gcry_get_debug_flag (0))
456 0 : err = GPG_ERR_INV_CIPHER_MODE;
457 0 : break;
458 :
459 : default:
460 0 : err = GPG_ERR_INV_CIPHER_MODE;
461 : }
462 :
463 : /* Perform selftest here and mark this with a flag in cipher_table?
464 : No, we should not do this as it takes too long. Further it does
465 : not make sense to exclude algorithms with failing selftests at
466 : runtime: If a selftest fails there is something seriously wrong
467 : with the system and thus we better die immediately. */
468 :
469 9255 : if (! err)
470 : {
471 9255 : size_t size = (sizeof (*h)
472 9255 : + 2 * spec->contextsize
473 : - sizeof (cipher_context_alignment_t)
474 : #ifdef NEED_16BYTE_ALIGNED_CONTEXT
475 : + 15 /* Space for leading alignment gap. */
476 : #endif /*NEED_16BYTE_ALIGNED_CONTEXT*/
477 : );
478 :
479 : /* Space needed per mode. */
480 9255 : switch (mode)
481 : {
482 : case GCRY_CIPHER_MODE_XTS:
483 : /* Additional cipher context for tweak. */
484 552 : size += 2 * spec->contextsize + 15;
485 552 : break;
486 :
487 : default:
488 8703 : break;
489 : }
490 :
491 9255 : if (secure)
492 0 : h = xtrycalloc_secure (1, size);
493 : else
494 9255 : h = xtrycalloc (1, size);
495 :
496 9255 : if (! h)
497 0 : err = gpg_err_code_from_syserror ();
498 : else
499 : {
500 9255 : size_t off = 0;
501 : char *tc;
502 :
503 : #ifdef NEED_16BYTE_ALIGNED_CONTEXT
504 9255 : if ( ((uintptr_t)h & 0x0f) )
505 : {
506 : /* The malloced block is not aligned on a 16 byte
507 : boundary. Correct for this. */
508 0 : off = 16 - ((uintptr_t)h & 0x0f);
509 0 : h = (void*)((char*)h + off);
510 : }
511 : #endif /*NEED_16BYTE_ALIGNED_CONTEXT*/
512 :
513 9255 : h->magic = secure ? CTX_MAGIC_SECURE : CTX_MAGIC_NORMAL;
514 9255 : h->actual_handle_size = size - off;
515 9255 : h->handle_offset = off;
516 9255 : h->spec = spec;
517 9255 : h->algo = algo;
518 9255 : h->mode = mode;
519 9255 : h->flags = flags;
520 :
521 : /* Setup bulk encryption routines. */
522 9255 : switch (algo)
523 : {
524 : #ifdef USE_AES
525 : case GCRY_CIPHER_AES128:
526 : case GCRY_CIPHER_AES192:
527 : case GCRY_CIPHER_AES256:
528 2693 : h->bulk.cfb_enc = _gcry_aes_cfb_enc;
529 2693 : h->bulk.cfb_dec = _gcry_aes_cfb_dec;
530 2693 : h->bulk.cbc_enc = _gcry_aes_cbc_enc;
531 2693 : h->bulk.cbc_dec = _gcry_aes_cbc_dec;
532 2693 : h->bulk.ctr_enc = _gcry_aes_ctr_enc;
533 2693 : h->bulk.ocb_crypt = _gcry_aes_ocb_crypt;
534 2693 : h->bulk.ocb_auth = _gcry_aes_ocb_auth;
535 2693 : break;
536 : #endif /*USE_AES*/
537 : #ifdef USE_BLOWFISH
538 : case GCRY_CIPHER_BLOWFISH:
539 246 : h->bulk.cfb_dec = _gcry_blowfish_cfb_dec;
540 246 : h->bulk.cbc_dec = _gcry_blowfish_cbc_dec;
541 246 : h->bulk.ctr_enc = _gcry_blowfish_ctr_enc;
542 246 : break;
543 : #endif /*USE_BLOWFISH*/
544 : #ifdef USE_CAST5
545 : case GCRY_CIPHER_CAST5:
546 250 : h->bulk.cfb_dec = _gcry_cast5_cfb_dec;
547 250 : h->bulk.cbc_dec = _gcry_cast5_cbc_dec;
548 250 : h->bulk.ctr_enc = _gcry_cast5_ctr_enc;
549 250 : break;
550 : #endif /*USE_CAMELLIA*/
551 : #ifdef USE_CAMELLIA
552 : case GCRY_CIPHER_CAMELLIA128:
553 : case GCRY_CIPHER_CAMELLIA192:
554 : case GCRY_CIPHER_CAMELLIA256:
555 1941 : h->bulk.cbc_dec = _gcry_camellia_cbc_dec;
556 1941 : h->bulk.cfb_dec = _gcry_camellia_cfb_dec;
557 1941 : h->bulk.ctr_enc = _gcry_camellia_ctr_enc;
558 1941 : h->bulk.ocb_crypt = _gcry_camellia_ocb_crypt;
559 1941 : h->bulk.ocb_auth = _gcry_camellia_ocb_auth;
560 1941 : break;
561 : #endif /*USE_CAMELLIA*/
562 : #ifdef USE_DES
563 : case GCRY_CIPHER_3DES:
564 290 : h->bulk.cbc_dec = _gcry_3des_cbc_dec;
565 290 : h->bulk.cfb_dec = _gcry_3des_cfb_dec;
566 290 : h->bulk.ctr_enc = _gcry_3des_ctr_enc;
567 290 : break;
568 : #endif /*USE_DES*/
569 : #ifdef USE_SERPENT
570 : case GCRY_CIPHER_SERPENT128:
571 : case GCRY_CIPHER_SERPENT192:
572 : case GCRY_CIPHER_SERPENT256:
573 1251 : h->bulk.cbc_dec = _gcry_serpent_cbc_dec;
574 1251 : h->bulk.cfb_dec = _gcry_serpent_cfb_dec;
575 1251 : h->bulk.ctr_enc = _gcry_serpent_ctr_enc;
576 1251 : h->bulk.ocb_crypt = _gcry_serpent_ocb_crypt;
577 1251 : h->bulk.ocb_auth = _gcry_serpent_ocb_auth;
578 1251 : break;
579 : #endif /*USE_SERPENT*/
580 : #ifdef USE_TWOFISH
581 : case GCRY_CIPHER_TWOFISH:
582 : case GCRY_CIPHER_TWOFISH128:
583 836 : h->bulk.cbc_dec = _gcry_twofish_cbc_dec;
584 836 : h->bulk.cfb_dec = _gcry_twofish_cfb_dec;
585 836 : h->bulk.ctr_enc = _gcry_twofish_ctr_enc;
586 836 : h->bulk.ocb_crypt = _gcry_twofish_ocb_crypt;
587 836 : h->bulk.ocb_auth = _gcry_twofish_ocb_auth;
588 836 : break;
589 : #endif /*USE_TWOFISH*/
590 :
591 : default:
592 1748 : break;
593 : }
594 :
595 : /* Setup defaults depending on the mode. */
596 9255 : switch (mode)
597 : {
598 : case GCRY_CIPHER_MODE_OCB:
599 852 : h->u_mode.ocb.taglen = 16; /* Bytes. */
600 852 : break;
601 :
602 : case GCRY_CIPHER_MODE_XTS:
603 552 : tc = h->context.c + spec->contextsize * 2;
604 552 : tc += (16 - (uintptr_t)tc % 16) % 16;
605 552 : h->u_mode.xts.tweak_context = tc;
606 :
607 552 : break;
608 :
609 : default:
610 7851 : break;
611 : }
612 :
613 : }
614 : }
615 :
616 : /* Done. */
617 :
618 9255 : *handle = err ? NULL : h;
619 :
620 9255 : return err;
621 : }
622 :
623 :
624 : /* Release all resources associated with the cipher handle H. H may be
625 : NULL in which case this is a no-operation. */
626 : void
627 9259 : _gcry_cipher_close (gcry_cipher_hd_t h)
628 : {
629 : size_t off;
630 :
631 9259 : if (!h)
632 4 : return;
633 :
634 9255 : if ((h->magic != CTX_MAGIC_SECURE)
635 9255 : && (h->magic != CTX_MAGIC_NORMAL))
636 0 : _gcry_fatal_error(GPG_ERR_INTERNAL,
637 : "gcry_cipher_close: already closed/invalid handle");
638 : else
639 9255 : h->magic = 0;
640 :
641 : /* We always want to wipe out the memory even when the context has
642 : been allocated in secure memory. The user might have disabled
643 : secure memory or is using his own implementation which does not
644 : do the wiping. To accomplish this we need to keep track of the
645 : actual size of this structure because we have no way to known
646 : how large the allocated area was when using a standard malloc. */
647 9255 : off = h->handle_offset;
648 9255 : wipememory (h, h->actual_handle_size);
649 :
650 9255 : xfree ((char*)h - off);
651 : }
652 :
653 :
654 : /* Set the key to be used for the encryption context C to KEY with
655 : length KEYLEN. The length should match the required length. */
656 : static gcry_err_code_t
657 9415 : cipher_setkey (gcry_cipher_hd_t c, byte *key, size_t keylen)
658 : {
659 : gcry_err_code_t rc;
660 :
661 9415 : if (c->mode == GCRY_CIPHER_MODE_XTS)
662 : {
663 : /* XTS uses two keys. */
664 552 : if (keylen % 2)
665 0 : return GPG_ERR_INV_KEYLEN;
666 552 : keylen /= 2;
667 :
668 552 : if (fips_mode ())
669 : {
670 : /* Reject key if subkeys Key_1 and Key_2 are equal.
671 : See "Implementation Guidance for FIPS 140-2, A.9 XTS-AES
672 : Key Generation Requirements" for details. */
673 0 : if (buf_eq_const (key, key + keylen, keylen))
674 0 : return GPG_ERR_WEAK_KEY;
675 : }
676 : }
677 :
678 9415 : rc = c->spec->setkey (&c->context.c, key, keylen);
679 9415 : if (!rc)
680 : {
681 : /* Duplicate initial context. */
682 18830 : memcpy ((void *) ((char *) &c->context.c + c->spec->contextsize),
683 9415 : (void *) &c->context.c,
684 9415 : c->spec->contextsize);
685 9415 : c->marks.key = 1;
686 :
687 9415 : switch (c->mode)
688 : {
689 : case GCRY_CIPHER_MODE_CMAC:
690 124 : _gcry_cipher_cmac_set_subkeys (c);
691 124 : break;
692 :
693 : case GCRY_CIPHER_MODE_GCM:
694 728 : _gcry_cipher_gcm_setkey (c);
695 728 : break;
696 :
697 : case GCRY_CIPHER_MODE_POLY1305:
698 67 : _gcry_cipher_poly1305_setkey (c);
699 67 : break;
700 :
701 : case GCRY_CIPHER_MODE_XTS:
702 : /* Setup tweak cipher with second part of XTS key. */
703 552 : rc = c->spec->setkey (c->u_mode.xts.tweak_context, key + keylen,
704 : keylen);
705 552 : if (!rc)
706 : {
707 : /* Duplicate initial tweak context. */
708 1104 : memcpy (c->u_mode.xts.tweak_context + c->spec->contextsize,
709 1104 : c->u_mode.xts.tweak_context, c->spec->contextsize);
710 : }
711 : else
712 0 : c->marks.key = 0;
713 552 : break;
714 :
715 : default:
716 7944 : break;
717 : };
718 : }
719 : else
720 0 : c->marks.key = 0;
721 :
722 9415 : return rc;
723 : }
724 :
725 :
726 : /* Set the IV to be used for the encryption context C to IV with
727 : length IVLEN. The length should match the required length. */
728 : static gcry_err_code_t
729 4076 : cipher_setiv (gcry_cipher_hd_t c, const byte *iv, size_t ivlen)
730 : {
731 : /* If the cipher has its own IV handler, we use only this one. This
732 : is currently used for stream ciphers requiring a nonce. */
733 4076 : if (c->spec->setiv)
734 : {
735 264 : c->spec->setiv (&c->context.c, iv, ivlen);
736 264 : return 0;
737 : }
738 :
739 3812 : memset (c->u_iv.iv, 0, c->spec->blocksize);
740 3812 : if (iv)
741 : {
742 3782 : if (ivlen != c->spec->blocksize)
743 : {
744 0 : log_info ("WARNING: cipher_setiv: ivlen=%u blklen=%u\n",
745 0 : (unsigned int)ivlen, (unsigned int)c->spec->blocksize);
746 0 : fips_signal_error ("IV length does not match blocklength");
747 : }
748 3782 : if (ivlen > c->spec->blocksize)
749 0 : ivlen = c->spec->blocksize;
750 3782 : memcpy (c->u_iv.iv, iv, ivlen);
751 3782 : c->marks.iv = 1;
752 : }
753 : else
754 30 : c->marks.iv = 0;
755 3812 : c->unused = 0;
756 :
757 3812 : return 0;
758 : }
759 :
760 :
761 : /* Reset the cipher context to the initial context. This is basically
762 : the same as an release followed by a new. */
763 : static void
764 63126 : cipher_reset (gcry_cipher_hd_t c)
765 : {
766 : unsigned int marks_key;
767 :
768 63126 : marks_key = c->marks.key;
769 :
770 126252 : memcpy (&c->context.c,
771 63126 : (char *) &c->context.c + c->spec->contextsize,
772 63126 : c->spec->contextsize);
773 63126 : memset (&c->marks, 0, sizeof c->marks);
774 63126 : memset (c->u_iv.iv, 0, c->spec->blocksize);
775 63126 : memset (c->lastiv, 0, c->spec->blocksize);
776 63126 : memset (c->u_ctr.ctr, 0, c->spec->blocksize);
777 63126 : c->unused = 0;
778 :
779 63126 : c->marks.key = marks_key;
780 :
781 63126 : switch (c->mode)
782 : {
783 : case GCRY_CIPHER_MODE_CMAC:
784 : /* Only clear 'tag' for cmac, keep subkeys. */
785 10756 : c->u_mode.cmac.tag = 0;
786 10756 : break;
787 :
788 : case GCRY_CIPHER_MODE_GCM:
789 : /* Only clear head of u_mode, keep ghash_key and gcm_table. */
790 : {
791 7776 : byte *u_mode_pos = (void *)&c->u_mode;
792 7776 : byte *ghash_key_pos = c->u_mode.gcm.u_ghash_key.key;
793 7776 : size_t u_mode_head_length = ghash_key_pos - u_mode_pos;
794 :
795 7776 : memset (&c->u_mode, 0, u_mode_head_length);
796 : }
797 7776 : break;
798 :
799 : case GCRY_CIPHER_MODE_POLY1305:
800 288 : memset (&c->u_mode.poly1305, 0, sizeof c->u_mode.poly1305);
801 288 : break;
802 :
803 : case GCRY_CIPHER_MODE_CCM:
804 3072 : memset (&c->u_mode.ccm, 0, sizeof c->u_mode.ccm);
805 3072 : break;
806 :
807 : case GCRY_CIPHER_MODE_OCB:
808 3072 : memset (&c->u_mode.ocb, 0, sizeof c->u_mode.ocb);
809 : /* Setup default taglen. */
810 3072 : c->u_mode.ocb.taglen = 16;
811 3072 : break;
812 :
813 : case GCRY_CIPHER_MODE_XTS:
814 6144 : memcpy (c->u_mode.xts.tweak_context,
815 3072 : c->u_mode.xts.tweak_context + c->spec->contextsize,
816 3072 : c->spec->contextsize);
817 3072 : break;
818 :
819 : default:
820 35090 : break; /* u_mode unused by other modes. */
821 : }
822 63126 : }
823 :
824 :
825 : �
826 : static gcry_err_code_t
827 122858 : do_ecb_crypt (gcry_cipher_hd_t c,
828 : unsigned char *outbuf, size_t outbuflen,
829 : const unsigned char *inbuf, size_t inbuflen,
830 : gcry_cipher_encrypt_t crypt_fn)
831 : {
832 122858 : unsigned int blocksize = c->spec->blocksize;
833 : size_t n, nblocks;
834 : unsigned int burn, nburn;
835 :
836 122858 : if (outbuflen < inbuflen)
837 0 : return GPG_ERR_BUFFER_TOO_SHORT;
838 122858 : if ((inbuflen % blocksize))
839 0 : return GPG_ERR_INV_LENGTH;
840 :
841 122858 : nblocks = inbuflen / blocksize;
842 122858 : burn = 0;
843 :
844 13271540 : for (n=0; n < nblocks; n++ )
845 : {
846 13148682 : nburn = crypt_fn (&c->context.c, outbuf, inbuf);
847 13148682 : burn = nburn > burn ? nburn : burn;
848 13148682 : inbuf += blocksize;
849 13148682 : outbuf += blocksize;
850 : }
851 :
852 122858 : if (burn > 0)
853 93957 : _gcry_burn_stack (burn + 4 * sizeof(void *));
854 :
855 122858 : return 0;
856 : }
857 :
858 : static gcry_err_code_t
859 60190 : do_ecb_encrypt (gcry_cipher_hd_t c,
860 : unsigned char *outbuf, size_t outbuflen,
861 : const unsigned char *inbuf, size_t inbuflen)
862 : {
863 60190 : return do_ecb_crypt (c, outbuf, outbuflen, inbuf, inbuflen, c->spec->encrypt);
864 : }
865 :
866 : static gcry_err_code_t
867 62668 : do_ecb_decrypt (gcry_cipher_hd_t c,
868 : unsigned char *outbuf, size_t outbuflen,
869 : const unsigned char *inbuf, size_t inbuflen)
870 : {
871 62668 : return do_ecb_crypt (c, outbuf, outbuflen, inbuf, inbuflen, c->spec->decrypt);
872 : }
873 :
874 :
875 : /****************
876 : * Encrypt INBUF to OUTBUF with the mode selected at open.
877 : * inbuf and outbuf may overlap or be the same.
878 : * Depending on the mode some constraints apply to INBUFLEN.
879 : */
880 : static gcry_err_code_t
881 560228 : cipher_encrypt (gcry_cipher_hd_t c, byte *outbuf, size_t outbuflen,
882 : const byte *inbuf, size_t inbuflen)
883 : {
884 : gcry_err_code_t rc;
885 :
886 560228 : if (c->mode != GCRY_CIPHER_MODE_NONE && !c->marks.key)
887 : {
888 0 : log_error ("cipher_encrypt: key not set\n");
889 0 : return GPG_ERR_MISSING_KEY;
890 : }
891 :
892 560228 : switch (c->mode)
893 : {
894 : case GCRY_CIPHER_MODE_ECB:
895 60190 : rc = do_ecb_encrypt (c, outbuf, outbuflen, inbuf, inbuflen);
896 60190 : break;
897 :
898 : case GCRY_CIPHER_MODE_CBC:
899 75790 : rc = _gcry_cipher_cbc_encrypt (c, outbuf, outbuflen, inbuf, inbuflen);
900 75790 : break;
901 :
902 : case GCRY_CIPHER_MODE_CFB:
903 66208 : rc = _gcry_cipher_cfb_encrypt (c, outbuf, outbuflen, inbuf, inbuflen);
904 66208 : break;
905 :
906 : case GCRY_CIPHER_MODE_CFB8:
907 10210 : rc = _gcry_cipher_cfb8_encrypt (c, outbuf, outbuflen, inbuf, inbuflen);
908 10210 : break;
909 :
910 : case GCRY_CIPHER_MODE_OFB:
911 65592 : rc = _gcry_cipher_ofb_encrypt (c, outbuf, outbuflen, inbuf, inbuflen);
912 65592 : break;
913 :
914 : case GCRY_CIPHER_MODE_CTR:
915 73300 : rc = _gcry_cipher_ctr_encrypt (c, outbuf, outbuflen, inbuf, inbuflen);
916 73300 : break;
917 :
918 : case GCRY_CIPHER_MODE_AESWRAP:
919 6 : rc = _gcry_cipher_aeswrap_encrypt (c, outbuf, outbuflen,
920 : inbuf, inbuflen);
921 6 : break;
922 :
923 : case GCRY_CIPHER_MODE_CCM:
924 56858 : rc = _gcry_cipher_ccm_encrypt (c, outbuf, outbuflen, inbuf, inbuflen);
925 56858 : break;
926 :
927 : case GCRY_CIPHER_MODE_CMAC:
928 0 : rc = GPG_ERR_INV_CIPHER_MODE;
929 0 : break;
930 :
931 : case GCRY_CIPHER_MODE_GCM:
932 54120 : rc = _gcry_cipher_gcm_encrypt (c, outbuf, outbuflen, inbuf, inbuflen);
933 54120 : break;
934 :
935 : case GCRY_CIPHER_MODE_POLY1305:
936 6876 : rc = _gcry_cipher_poly1305_encrypt (c, outbuf, outbuflen,
937 : inbuf, inbuflen);
938 6876 : break;
939 :
940 : case GCRY_CIPHER_MODE_OCB:
941 38144 : rc = _gcry_cipher_ocb_encrypt (c, outbuf, outbuflen, inbuf, inbuflen);
942 38144 : break;
943 :
944 : case GCRY_CIPHER_MODE_XTS:
945 26904 : rc = _gcry_cipher_xts_crypt (c, outbuf, outbuflen, inbuf, inbuflen, 1);
946 26904 : break;
947 :
948 : case GCRY_CIPHER_MODE_STREAM:
949 26030 : c->spec->stencrypt (&c->context.c,
950 : outbuf, (byte*)/*arggg*/inbuf, inbuflen);
951 26030 : rc = 0;
952 26030 : break;
953 :
954 : case GCRY_CIPHER_MODE_NONE:
955 0 : if (fips_mode () || !_gcry_get_debug_flag (0))
956 : {
957 0 : fips_signal_error ("cipher mode NONE used");
958 0 : rc = GPG_ERR_INV_CIPHER_MODE;
959 : }
960 : else
961 : {
962 0 : if (inbuf != outbuf)
963 0 : memmove (outbuf, inbuf, inbuflen);
964 0 : rc = 0;
965 : }
966 0 : break;
967 :
968 : default:
969 0 : log_fatal ("cipher_encrypt: invalid mode %d\n", c->mode );
970 : rc = GPG_ERR_INV_CIPHER_MODE;
971 : break;
972 : }
973 :
974 560228 : return rc;
975 : }
976 :
977 :
978 : /****************
979 : * Encrypt IN and write it to OUT. If IN is NULL, in-place encryption has
980 : * been requested.
981 : */
982 : gcry_err_code_t
983 560228 : _gcry_cipher_encrypt (gcry_cipher_hd_t h, void *out, size_t outsize,
984 : const void *in, size_t inlen)
985 : {
986 : gcry_err_code_t rc;
987 :
988 560228 : if (!in) /* Caller requested in-place encryption. */
989 : {
990 53598 : in = out;
991 53598 : inlen = outsize;
992 : }
993 :
994 560228 : rc = cipher_encrypt (h, out, outsize, in, inlen);
995 :
996 : /* Failsafe: Make sure that the plaintext will never make it into
997 : OUT if the encryption returned an error. */
998 560228 : if (rc && out)
999 40 : memset (out, 0x42, outsize);
1000 :
1001 560228 : return rc;
1002 : }
1003 :
1004 :
1005 :
1006 : /****************
1007 : * Decrypt INBUF to OUTBUF with the mode selected at open.
1008 : * inbuf and outbuf may overlap or be the same.
1009 : * Depending on the mode some some contraints apply to INBUFLEN.
1010 : */
1011 : static gcry_err_code_t
1012 467248 : cipher_decrypt (gcry_cipher_hd_t c, byte *outbuf, size_t outbuflen,
1013 : const byte *inbuf, size_t inbuflen)
1014 : {
1015 : gcry_err_code_t rc;
1016 :
1017 467248 : if (c->mode != GCRY_CIPHER_MODE_NONE && !c->marks.key)
1018 : {
1019 0 : log_error ("cipher_decrypt: key not set\n");
1020 0 : return GPG_ERR_MISSING_KEY;
1021 : }
1022 :
1023 467248 : switch (c->mode)
1024 : {
1025 : case GCRY_CIPHER_MODE_ECB:
1026 62668 : rc = do_ecb_decrypt (c, outbuf, outbuflen, inbuf, inbuflen);
1027 62668 : break;
1028 :
1029 : case GCRY_CIPHER_MODE_CBC:
1030 75942 : rc = _gcry_cipher_cbc_decrypt (c, outbuf, outbuflen, inbuf, inbuflen);
1031 75942 : break;
1032 :
1033 : case GCRY_CIPHER_MODE_CFB:
1034 57994 : rc = _gcry_cipher_cfb_decrypt (c, outbuf, outbuflen, inbuf, inbuflen);
1035 57994 : break;
1036 :
1037 : case GCRY_CIPHER_MODE_CFB8:
1038 10210 : rc = _gcry_cipher_cfb8_decrypt (c, outbuf, outbuflen, inbuf, inbuflen);
1039 10210 : break;
1040 :
1041 : case GCRY_CIPHER_MODE_OFB:
1042 58142 : rc = _gcry_cipher_ofb_encrypt (c, outbuf, outbuflen, inbuf, inbuflen);
1043 58142 : break;
1044 :
1045 : case GCRY_CIPHER_MODE_CTR:
1046 55366 : rc = _gcry_cipher_ctr_encrypt (c, outbuf, outbuflen, inbuf, inbuflen);
1047 55366 : break;
1048 :
1049 : case GCRY_CIPHER_MODE_AESWRAP:
1050 18 : rc = _gcry_cipher_aeswrap_decrypt (c, outbuf, outbuflen,
1051 : inbuf, inbuflen);
1052 18 : break;
1053 :
1054 : case GCRY_CIPHER_MODE_CCM:
1055 34674 : rc = _gcry_cipher_ccm_decrypt (c, outbuf, outbuflen, inbuf, inbuflen);
1056 34674 : break;
1057 :
1058 : case GCRY_CIPHER_MODE_CMAC:
1059 0 : rc = GPG_ERR_INV_CIPHER_MODE;
1060 0 : break;
1061 :
1062 : case GCRY_CIPHER_MODE_GCM:
1063 36336 : rc = _gcry_cipher_gcm_decrypt (c, outbuf, outbuflen, inbuf, inbuflen);
1064 36336 : break;
1065 :
1066 : case GCRY_CIPHER_MODE_POLY1305:
1067 5608 : rc = _gcry_cipher_poly1305_decrypt (c, outbuf, outbuflen,
1068 : inbuf, inbuflen);
1069 5608 : break;
1070 :
1071 : case GCRY_CIPHER_MODE_OCB:
1072 27028 : rc = _gcry_cipher_ocb_decrypt (c, outbuf, outbuflen, inbuf, inbuflen);
1073 27028 : break;
1074 :
1075 : case GCRY_CIPHER_MODE_XTS:
1076 26614 : rc = _gcry_cipher_xts_crypt (c, outbuf, outbuflen, inbuf, inbuflen, 0);
1077 26614 : break;
1078 :
1079 : case GCRY_CIPHER_MODE_STREAM:
1080 16648 : c->spec->stdecrypt (&c->context.c,
1081 : outbuf, (byte*)/*arggg*/inbuf, inbuflen);
1082 16648 : rc = 0;
1083 16648 : break;
1084 :
1085 : case GCRY_CIPHER_MODE_NONE:
1086 0 : if (fips_mode () || !_gcry_get_debug_flag (0))
1087 : {
1088 0 : fips_signal_error ("cipher mode NONE used");
1089 0 : rc = GPG_ERR_INV_CIPHER_MODE;
1090 : }
1091 : else
1092 : {
1093 0 : if (inbuf != outbuf)
1094 0 : memmove (outbuf, inbuf, inbuflen);
1095 0 : rc = 0;
1096 : }
1097 0 : break;
1098 :
1099 : default:
1100 0 : log_fatal ("cipher_decrypt: invalid mode %d\n", c->mode );
1101 : rc = GPG_ERR_INV_CIPHER_MODE;
1102 : break;
1103 : }
1104 :
1105 467248 : return rc;
1106 : }
1107 :
1108 :
1109 : gcry_err_code_t
1110 467248 : _gcry_cipher_decrypt (gcry_cipher_hd_t h, void *out, size_t outsize,
1111 : const void *in, size_t inlen)
1112 : {
1113 467248 : if (!in) /* Caller requested in-place encryption. */
1114 : {
1115 67106 : in = out;
1116 67106 : inlen = outsize;
1117 : }
1118 :
1119 467248 : return cipher_decrypt (h, out, outsize, in, inlen);
1120 : }
1121 :
1122 :
1123 :
1124 : /****************
1125 : * Used for PGP's somewhat strange CFB mode. Only works if
1126 : * the corresponding flag is set.
1127 : */
1128 : static void
1129 0 : cipher_sync (gcry_cipher_hd_t c)
1130 : {
1131 0 : if ((c->flags & GCRY_CIPHER_ENABLE_SYNC) && c->unused)
1132 : {
1133 0 : memmove (c->u_iv.iv + c->unused,
1134 0 : c->u_iv.iv, c->spec->blocksize - c->unused);
1135 0 : memcpy (c->u_iv.iv,
1136 0 : c->lastiv + c->spec->blocksize - c->unused, c->unused);
1137 0 : c->unused = 0;
1138 : }
1139 0 : }
1140 :
1141 :
1142 : gcry_err_code_t
1143 9415 : _gcry_cipher_setkey (gcry_cipher_hd_t hd, const void *key, size_t keylen)
1144 : {
1145 9415 : return cipher_setkey (hd, (void*)key, keylen);
1146 : }
1147 :
1148 :
1149 : gcry_err_code_t
1150 174870 : _gcry_cipher_setiv (gcry_cipher_hd_t hd, const void *iv, size_t ivlen)
1151 : {
1152 174870 : gcry_err_code_t rc = 0;
1153 :
1154 174870 : switch (hd->mode)
1155 : {
1156 : case GCRY_CIPHER_MODE_CCM:
1157 73038 : rc = _gcry_cipher_ccm_set_nonce (hd, iv, ivlen);
1158 73038 : break;
1159 :
1160 : case GCRY_CIPHER_MODE_GCM:
1161 39024 : rc = _gcry_cipher_gcm_setiv (hd, iv, ivlen);
1162 39024 : break;
1163 :
1164 : case GCRY_CIPHER_MODE_POLY1305:
1165 2976 : rc = _gcry_cipher_poly1305_setiv (hd, iv, ivlen);
1166 2976 : break;
1167 :
1168 : case GCRY_CIPHER_MODE_OCB:
1169 55756 : rc = _gcry_cipher_ocb_set_nonce (hd, iv, ivlen);
1170 55756 : break;
1171 :
1172 : default:
1173 4076 : rc = cipher_setiv (hd, iv, ivlen);
1174 4076 : break;
1175 : }
1176 174870 : return rc;
1177 : }
1178 :
1179 : /* Set counter for CTR mode. (CTR,CTRLEN) must denote a buffer of
1180 : block size length, or (NULL,0) to set the CTR to the all-zero
1181 : block. */
1182 : gpg_err_code_t
1183 40 : _gcry_cipher_setctr (gcry_cipher_hd_t hd, const void *ctr, size_t ctrlen)
1184 : {
1185 40 : if (ctr && ctrlen == hd->spec->blocksize)
1186 : {
1187 40 : memcpy (hd->u_ctr.ctr, ctr, hd->spec->blocksize);
1188 40 : hd->unused = 0;
1189 : }
1190 0 : else if (!ctr || !ctrlen)
1191 : {
1192 0 : memset (hd->u_ctr.ctr, 0, hd->spec->blocksize);
1193 0 : hd->unused = 0;
1194 : }
1195 : else
1196 0 : return GPG_ERR_INV_ARG;
1197 :
1198 40 : return 0;
1199 : }
1200 :
1201 : gpg_err_code_t
1202 0 : _gcry_cipher_getctr (gcry_cipher_hd_t hd, void *ctr, size_t ctrlen)
1203 : {
1204 0 : if (ctr && ctrlen == hd->spec->blocksize)
1205 0 : memcpy (ctr, hd->u_ctr.ctr, hd->spec->blocksize);
1206 : else
1207 0 : return GPG_ERR_INV_ARG;
1208 :
1209 0 : return 0;
1210 : }
1211 :
1212 : gcry_err_code_t
1213 606292 : _gcry_cipher_authenticate (gcry_cipher_hd_t hd, const void *abuf,
1214 : size_t abuflen)
1215 : {
1216 : gcry_err_code_t rc;
1217 :
1218 606292 : switch (hd->mode)
1219 : {
1220 : case GCRY_CIPHER_MODE_CCM:
1221 18644 : rc = _gcry_cipher_ccm_authenticate (hd, abuf, abuflen);
1222 18644 : break;
1223 :
1224 : case GCRY_CIPHER_MODE_CMAC:
1225 0 : rc = _gcry_cipher_cmac_authenticate (hd, abuf, abuflen);
1226 0 : break;
1227 :
1228 : case GCRY_CIPHER_MODE_GCM:
1229 577404 : rc = _gcry_cipher_gcm_authenticate (hd, abuf, abuflen);
1230 577404 : break;
1231 :
1232 : case GCRY_CIPHER_MODE_POLY1305:
1233 1192 : rc = _gcry_cipher_poly1305_authenticate (hd, abuf, abuflen);
1234 1192 : break;
1235 :
1236 : case GCRY_CIPHER_MODE_OCB:
1237 9052 : rc = _gcry_cipher_ocb_authenticate (hd, abuf, abuflen);
1238 9052 : break;
1239 :
1240 : default:
1241 0 : log_error ("gcry_cipher_authenticate: invalid mode %d\n", hd->mode);
1242 0 : rc = GPG_ERR_INV_CIPHER_MODE;
1243 0 : break;
1244 : }
1245 :
1246 606292 : return rc;
1247 : }
1248 :
1249 :
1250 : gcry_err_code_t
1251 101057 : _gcry_cipher_gettag (gcry_cipher_hd_t hd, void *outtag, size_t taglen)
1252 : {
1253 : gcry_err_code_t rc;
1254 :
1255 101057 : switch (hd->mode)
1256 : {
1257 : case GCRY_CIPHER_MODE_CCM:
1258 45948 : rc = _gcry_cipher_ccm_get_tag (hd, outtag, taglen);
1259 45948 : break;
1260 :
1261 : case GCRY_CIPHER_MODE_CMAC:
1262 0 : rc = _gcry_cipher_cmac_get_tag (hd, outtag, taglen);
1263 0 : break;
1264 :
1265 : case GCRY_CIPHER_MODE_GCM:
1266 32899 : rc = _gcry_cipher_gcm_get_tag (hd, outtag, taglen);
1267 32899 : break;
1268 :
1269 : case GCRY_CIPHER_MODE_POLY1305:
1270 2122 : rc = _gcry_cipher_poly1305_get_tag (hd, outtag, taglen);
1271 2122 : break;
1272 :
1273 : case GCRY_CIPHER_MODE_OCB:
1274 20088 : rc = _gcry_cipher_ocb_get_tag (hd, outtag, taglen);
1275 20088 : break;
1276 :
1277 : default:
1278 0 : log_error ("gcry_cipher_gettag: invalid mode %d\n", hd->mode);
1279 0 : rc = GPG_ERR_INV_CIPHER_MODE;
1280 0 : break;
1281 : }
1282 :
1283 101057 : return rc;
1284 : }
1285 :
1286 :
1287 : gcry_err_code_t
1288 44494 : _gcry_cipher_checktag (gcry_cipher_hd_t hd, const void *intag, size_t taglen)
1289 : {
1290 : gcry_err_code_t rc;
1291 :
1292 44494 : switch (hd->mode)
1293 : {
1294 : case GCRY_CIPHER_MODE_CCM:
1295 24018 : rc = _gcry_cipher_ccm_check_tag (hd, intag, taglen);
1296 24018 : break;
1297 :
1298 : case GCRY_CIPHER_MODE_CMAC:
1299 0 : rc = _gcry_cipher_cmac_check_tag (hd, intag, taglen);
1300 0 : break;
1301 :
1302 : case GCRY_CIPHER_MODE_GCM:
1303 10838 : rc = _gcry_cipher_gcm_check_tag (hd, intag, taglen);
1304 10838 : break;
1305 :
1306 : case GCRY_CIPHER_MODE_POLY1305:
1307 854 : rc = _gcry_cipher_poly1305_check_tag (hd, intag, taglen);
1308 854 : break;
1309 :
1310 : case GCRY_CIPHER_MODE_OCB:
1311 8784 : rc = _gcry_cipher_ocb_check_tag (hd, intag, taglen);
1312 8784 : break;
1313 :
1314 : default:
1315 0 : log_error ("gcry_cipher_checktag: invalid mode %d\n", hd->mode);
1316 0 : rc = GPG_ERR_INV_CIPHER_MODE;
1317 0 : break;
1318 : }
1319 :
1320 44494 : return rc;
1321 : }
1322 :
1323 :
1324 : gcry_err_code_t
1325 370392 : _gcry_cipher_ctl (gcry_cipher_hd_t h, int cmd, void *buffer, size_t buflen)
1326 : {
1327 370392 : gcry_err_code_t rc = 0;
1328 :
1329 370392 : switch (cmd)
1330 : {
1331 : case GCRYCTL_RESET:
1332 63126 : cipher_reset (h);
1333 63126 : break;
1334 :
1335 : case GCRYCTL_FINALIZE:
1336 234124 : if (!h || buffer || buflen)
1337 0 : return GPG_ERR_INV_ARG;
1338 234124 : h->marks.finalize = 1;
1339 234124 : break;
1340 :
1341 : case GCRYCTL_CFB_SYNC:
1342 0 : cipher_sync( h );
1343 0 : break;
1344 :
1345 : case GCRYCTL_SET_CBC_CTS:
1346 0 : if (buflen)
1347 0 : if (h->flags & GCRY_CIPHER_CBC_MAC)
1348 0 : rc = GPG_ERR_INV_FLAG;
1349 : else
1350 0 : h->flags |= GCRY_CIPHER_CBC_CTS;
1351 : else
1352 0 : h->flags &= ~GCRY_CIPHER_CBC_CTS;
1353 0 : break;
1354 :
1355 : case GCRYCTL_SET_CBC_MAC:
1356 0 : if (buflen)
1357 0 : if (h->flags & GCRY_CIPHER_CBC_CTS)
1358 0 : rc = GPG_ERR_INV_FLAG;
1359 : else
1360 0 : h->flags |= GCRY_CIPHER_CBC_MAC;
1361 : else
1362 0 : h->flags &= ~GCRY_CIPHER_CBC_MAC;
1363 0 : break;
1364 :
1365 : case GCRYCTL_SET_CCM_LENGTHS:
1366 : {
1367 : u64 params[3];
1368 : size_t encryptedlen;
1369 : size_t aadlen;
1370 : size_t authtaglen;
1371 :
1372 73038 : if (h->mode != GCRY_CIPHER_MODE_CCM)
1373 0 : return GPG_ERR_INV_CIPHER_MODE;
1374 :
1375 73038 : if (!buffer || buflen != 3 * sizeof(u64))
1376 0 : return GPG_ERR_INV_ARG;
1377 :
1378 : /* This command is used to pass additional length parameters needed
1379 : by CCM mode to initialize CBC-MAC. */
1380 73038 : memcpy (params, buffer, sizeof(params));
1381 73038 : encryptedlen = params[0];
1382 73038 : aadlen = params[1];
1383 73038 : authtaglen = params[2];
1384 :
1385 73038 : rc = _gcry_cipher_ccm_set_lengths (h, encryptedlen, aadlen, authtaglen);
1386 : }
1387 73038 : break;
1388 :
1389 : case GCRYCTL_SET_TAGLEN:
1390 72 : if (!h || !buffer || buflen != sizeof(int) )
1391 0 : return GPG_ERR_INV_ARG;
1392 72 : switch (h->mode)
1393 : {
1394 : case GCRY_CIPHER_MODE_OCB:
1395 72 : switch (*(int*)buffer)
1396 : {
1397 : case 8: case 12: case 16:
1398 72 : h->u_mode.ocb.taglen = *(int*)buffer;
1399 72 : break;
1400 : default:
1401 0 : rc = GPG_ERR_INV_LENGTH; /* Invalid tag length. */
1402 0 : break;
1403 : }
1404 72 : break;
1405 :
1406 : default:
1407 0 : rc =GPG_ERR_INV_CIPHER_MODE;
1408 0 : break;
1409 : }
1410 72 : break;
1411 :
1412 : case GCRYCTL_DISABLE_ALGO:
1413 : /* This command expects NULL for H and BUFFER to point to an
1414 : integer with the algo number. */
1415 0 : if( h || !buffer || buflen != sizeof(int) )
1416 0 : return GPG_ERR_CIPHER_ALGO;
1417 0 : disable_cipher_algo( *(int*)buffer );
1418 0 : break;
1419 :
1420 : case PRIV_CIPHERCTL_DISABLE_WEAK_KEY: /* (private) */
1421 0 : if (h->spec->set_extra_info)
1422 0 : rc = h->spec->set_extra_info
1423 0 : (&h->context.c, CIPHER_INFO_NO_WEAK_KEY, NULL, 0);
1424 : else
1425 0 : rc = GPG_ERR_NOT_SUPPORTED;
1426 0 : break;
1427 :
1428 : case PRIV_CIPHERCTL_GET_INPUT_VECTOR: /* (private) */
1429 : /* This is the input block as used in CFB and OFB mode which has
1430 : initially been set as IV. The returned format is:
1431 : 1 byte Actual length of the block in bytes.
1432 : n byte The block.
1433 : If the provided buffer is too short, an error is returned. */
1434 0 : if (buflen < (1 + h->spec->blocksize))
1435 0 : rc = GPG_ERR_TOO_SHORT;
1436 : else
1437 : {
1438 : unsigned char *ivp;
1439 0 : unsigned char *dst = buffer;
1440 0 : int n = h->unused;
1441 :
1442 0 : if (!n)
1443 0 : n = h->spec->blocksize;
1444 0 : gcry_assert (n <= h->spec->blocksize);
1445 0 : *dst++ = n;
1446 0 : ivp = h->u_iv.iv + h->spec->blocksize - n;
1447 0 : while (n--)
1448 0 : *dst++ = *ivp++;
1449 : }
1450 0 : break;
1451 :
1452 : case GCRYCTL_SET_SBOX:
1453 32 : if (h->spec->set_extra_info)
1454 64 : rc = h->spec->set_extra_info
1455 32 : (&h->context.c, GCRYCTL_SET_SBOX, buffer, buflen);
1456 : else
1457 0 : rc = GPG_ERR_NOT_SUPPORTED;
1458 32 : break;
1459 :
1460 : default:
1461 0 : rc = GPG_ERR_INV_OP;
1462 : }
1463 :
1464 370392 : return rc;
1465 : }
1466 :
1467 :
1468 : /* Return information about the cipher handle H. CMD is the kind of
1469 : * information requested.
1470 : *
1471 : * CMD may be one of:
1472 : *
1473 : * GCRYCTL_GET_TAGLEN:
1474 : * Return the length of the tag for an AE algorithm mode. An
1475 : * error is returned for modes which do not support a tag.
1476 : * BUFFER must be given as NULL. On success the result is stored
1477 : * at NBYTES. The taglen is returned in bytes.
1478 : *
1479 : * The function returns 0 on success or an error code.
1480 : */
1481 : gcry_err_code_t
1482 904 : _gcry_cipher_info (gcry_cipher_hd_t h, int cmd, void *buffer, size_t *nbytes)
1483 : {
1484 904 : gcry_err_code_t rc = 0;
1485 :
1486 904 : switch (cmd)
1487 : {
1488 : case GCRYCTL_GET_TAGLEN:
1489 904 : if (!h || buffer || !nbytes)
1490 0 : rc = GPG_ERR_INV_ARG;
1491 : else
1492 : {
1493 904 : switch (h->mode)
1494 : {
1495 : case GCRY_CIPHER_MODE_OCB:
1496 68 : *nbytes = h->u_mode.ocb.taglen;
1497 68 : break;
1498 :
1499 : case GCRY_CIPHER_MODE_CCM:
1500 672 : *nbytes = h->u_mode.ccm.authlen;
1501 672 : break;
1502 :
1503 : case GCRY_CIPHER_MODE_GCM:
1504 128 : *nbytes = GCRY_GCM_BLOCK_LEN;
1505 128 : break;
1506 :
1507 : case GCRY_CIPHER_MODE_POLY1305:
1508 16 : *nbytes = POLY1305_TAGLEN;
1509 16 : break;
1510 :
1511 : default:
1512 20 : rc = GPG_ERR_INV_CIPHER_MODE;
1513 20 : break;
1514 : }
1515 : }
1516 904 : break;
1517 :
1518 : default:
1519 0 : rc = GPG_ERR_INV_OP;
1520 : }
1521 :
1522 904 : return rc;
1523 : }
1524 :
1525 : /* Return information about the given cipher algorithm ALGO.
1526 :
1527 : WHAT select the kind of information returned:
1528 :
1529 : GCRYCTL_GET_KEYLEN:
1530 : Return the length of the key. If the algorithm ALGO
1531 : supports multiple key lengths, the maximum supported key length
1532 : is returned. The key length is returned as number of octets.
1533 : BUFFER and NBYTES must be zero.
1534 :
1535 : GCRYCTL_GET_BLKLEN:
1536 : Return the blocklength of the algorithm ALGO counted in octets.
1537 : BUFFER and NBYTES must be zero.
1538 :
1539 : GCRYCTL_TEST_ALGO:
1540 : Returns 0 if the specified algorithm ALGO is available for use.
1541 : BUFFER and NBYTES must be zero.
1542 :
1543 : Note: Because this function is in most cases used to return an
1544 : integer value, we can make it easier for the caller to just look at
1545 : the return value. The caller will in all cases consult the value
1546 : and thereby detecting whether a error occurred or not (i.e. while
1547 : checking the block size)
1548 : */
1549 : gcry_err_code_t
1550 16184 : _gcry_cipher_algo_info (int algo, int what, void *buffer, size_t *nbytes)
1551 : {
1552 16184 : gcry_err_code_t rc = 0;
1553 : unsigned int ui;
1554 :
1555 16184 : switch (what)
1556 : {
1557 : case GCRYCTL_GET_KEYLEN:
1558 7257 : if (buffer || (! nbytes))
1559 0 : rc = GPG_ERR_CIPHER_ALGO;
1560 : else
1561 : {
1562 7257 : ui = cipher_get_keylen (algo);
1563 7257 : if ((ui > 0) && (ui <= 512))
1564 7257 : *nbytes = (size_t) ui / 8;
1565 : else
1566 : /* The only reason for an error is an invalid algo. */
1567 0 : rc = GPG_ERR_CIPHER_ALGO;
1568 : }
1569 7257 : break;
1570 :
1571 : case GCRYCTL_GET_BLKLEN:
1572 7745 : if (buffer || (! nbytes))
1573 0 : rc = GPG_ERR_CIPHER_ALGO;
1574 : else
1575 : {
1576 7745 : ui = cipher_get_blocksize (algo);
1577 7745 : if ((ui > 0) && (ui < 10000))
1578 7745 : *nbytes = ui;
1579 : else
1580 : {
1581 : /* The only reason is an invalid algo or a strange
1582 : blocksize. */
1583 0 : rc = GPG_ERR_CIPHER_ALGO;
1584 : }
1585 : }
1586 7745 : break;
1587 :
1588 : case GCRYCTL_TEST_ALGO:
1589 1182 : if (buffer || nbytes)
1590 0 : rc = GPG_ERR_INV_ARG;
1591 : else
1592 1182 : rc = check_cipher_algo (algo);
1593 1182 : break;
1594 :
1595 : default:
1596 0 : rc = GPG_ERR_INV_OP;
1597 : }
1598 :
1599 16184 : return rc;
1600 : }
1601 :
1602 :
1603 : /* This function returns length of the key for algorithm ALGO. If the
1604 : algorithm supports multiple key lengths, the maximum supported key
1605 : length is returned. On error 0 is returned. The key length is
1606 : returned as number of octets.
1607 :
1608 : This is a convenience functions which should be preferred over
1609 : gcry_cipher_algo_info because it allows for proper type
1610 : checking. */
1611 : size_t
1612 7257 : _gcry_cipher_get_algo_keylen (int algo)
1613 : {
1614 : size_t n;
1615 :
1616 7257 : if (_gcry_cipher_algo_info (algo, GCRYCTL_GET_KEYLEN, NULL, &n))
1617 0 : n = 0;
1618 7257 : return n;
1619 : }
1620 :
1621 :
1622 : /* This functions returns the blocklength of the algorithm ALGO
1623 : counted in octets. On error 0 is returned.
1624 :
1625 : This is a convenience functions which should be preferred over
1626 : gcry_cipher_algo_info because it allows for proper type
1627 : checking. */
1628 : size_t
1629 7745 : _gcry_cipher_get_algo_blklen (int algo)
1630 : {
1631 : size_t n;
1632 :
1633 7745 : if (_gcry_cipher_algo_info( algo, GCRYCTL_GET_BLKLEN, NULL, &n))
1634 0 : n = 0;
1635 7745 : return n;
1636 : }
1637 :
1638 :
1639 : /* Explicitly initialize this module. */
1640 : gcry_err_code_t
1641 34 : _gcry_cipher_init (void)
1642 : {
1643 34 : if (fips_mode())
1644 : {
1645 : /* disable algorithms that are disallowed in fips */
1646 : int idx;
1647 : gcry_cipher_spec_t *spec;
1648 :
1649 0 : for (idx = 0; (spec = cipher_list[idx]); idx++)
1650 0 : if (!spec->flags.fips)
1651 0 : spec->flags.disabled = 1;
1652 : }
1653 :
1654 34 : return 0;
1655 : }
1656 :
1657 :
1658 : /* Run the selftests for cipher algorithm ALGO with optional reporting
1659 : function REPORT. */
1660 : gpg_error_t
1661 8 : _gcry_cipher_selftest (int algo, int extended, selftest_report_func_t report)
1662 : {
1663 8 : gcry_err_code_t ec = 0;
1664 : gcry_cipher_spec_t *spec;
1665 :
1666 8 : spec = spec_from_algo (algo);
1667 8 : if (spec && !spec->flags.disabled && spec->selftest)
1668 8 : ec = spec->selftest (algo, extended, report);
1669 : else
1670 : {
1671 0 : ec = GPG_ERR_CIPHER_ALGO;
1672 0 : if (report)
1673 0 : report ("cipher", algo, "module",
1674 0 : (spec && !spec->flags.disabled)?
1675 : "no selftest available" :
1676 0 : spec? "algorithm disabled" : "algorithm not found");
1677 : }
1678 :
1679 8 : return gpg_error (ec);
1680 : }
|
