aes_gcm_ossl.c 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428
  1. /*
  2. * aes_gcm_ossl.c
  3. *
  4. * AES Galois Counter Mode
  5. *
  6. * John A. Foley
  7. * Cisco Systems, Inc.
  8. *
  9. */
  10. /*
  11. *
  12. * Copyright (c) 2013-2017, Cisco Systems, Inc.
  13. * All rights reserved.
  14. *
  15. * Redistribution and use in source and binary forms, with or without
  16. * modification, are permitted provided that the following conditions
  17. * are met:
  18. *
  19. * Redistributions of source code must retain the above copyright
  20. * notice, this list of conditions and the following disclaimer.
  21. *
  22. * Redistributions in binary form must reproduce the above
  23. * copyright notice, this list of conditions and the following
  24. * disclaimer in the documentation and/or other materials provided
  25. * with the distribution.
  26. *
  27. * Neither the name of the Cisco Systems, Inc. nor the names of its
  28. * contributors may be used to endorse or promote products derived
  29. * from this software without specific prior written permission.
  30. *
  31. * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  32. * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  33. * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
  34. * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
  35. * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
  36. * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
  37. * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
  38. * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  39. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  40. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  41. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  42. * OF THE POSSIBILITY OF SUCH DAMAGE.
  43. *
  44. */
  45. #ifdef HAVE_CONFIG_H
  46. #include <config.h>
  47. #endif
  48. #include <openssl/evp.h>
  49. #include "aes_gcm.h"
  50. #include "alloc.h"
  51. #include "err.h" /* for srtp_debug */
  52. #include "crypto_types.h"
  53. #include "cipher_types.h"
  54. #include "cipher_test_cases.h"
  55. srtp_debug_module_t srtp_mod_aes_gcm = {
  56. 0, /* debugging is off by default */
  57. "aes gcm" /* printable module name */
  58. };
  59. /*
  60. * For now we only support 8 and 16 octet tags. The spec allows for
  61. * optional 12 byte tag, which may be supported in the future.
  62. */
  63. #define GCM_AUTH_TAG_LEN 16
  64. #define GCM_AUTH_TAG_LEN_8 8
  65. /*
  66. * This function allocates a new instance of this crypto engine.
  67. * The key_len parameter should be one of 28 or 44 for
  68. * AES-128-GCM or AES-256-GCM respectively. Note that the
  69. * key length includes the 14 byte salt value that is used when
  70. * initializing the KDF.
  71. */
  72. static srtp_err_status_t srtp_aes_gcm_openssl_alloc(srtp_cipher_t **c,
  73. int key_len,
  74. int tlen)
  75. {
  76. srtp_aes_gcm_ctx_t *gcm;
  77. debug_print(srtp_mod_aes_gcm, "allocating cipher with key length %d",
  78. key_len);
  79. debug_print(srtp_mod_aes_gcm, "allocating cipher with tag length %d", tlen);
  80. /*
  81. * Verify the key_len is valid for one of: AES-128/256
  82. */
  83. if (key_len != SRTP_AES_GCM_128_KEY_LEN_WSALT &&
  84. key_len != SRTP_AES_GCM_256_KEY_LEN_WSALT) {
  85. return (srtp_err_status_bad_param);
  86. }
  87. if (tlen != GCM_AUTH_TAG_LEN && tlen != GCM_AUTH_TAG_LEN_8) {
  88. return (srtp_err_status_bad_param);
  89. }
  90. /* allocate memory a cipher of type aes_gcm */
  91. *c = (srtp_cipher_t *)srtp_crypto_alloc(sizeof(srtp_cipher_t));
  92. if (*c == NULL) {
  93. return (srtp_err_status_alloc_fail);
  94. }
  95. gcm = (srtp_aes_gcm_ctx_t *)srtp_crypto_alloc(sizeof(srtp_aes_gcm_ctx_t));
  96. if (gcm == NULL) {
  97. srtp_crypto_free(*c);
  98. *c = NULL;
  99. return (srtp_err_status_alloc_fail);
  100. }
  101. gcm->ctx = EVP_CIPHER_CTX_new();
  102. if (gcm->ctx == NULL) {
  103. srtp_crypto_free(gcm);
  104. srtp_crypto_free(*c);
  105. *c = NULL;
  106. return srtp_err_status_alloc_fail;
  107. }
  108. /* set pointers */
  109. (*c)->state = gcm;
  110. /* setup cipher attributes */
  111. switch (key_len) {
  112. case SRTP_AES_GCM_128_KEY_LEN_WSALT:
  113. (*c)->type = &srtp_aes_gcm_128;
  114. (*c)->algorithm = SRTP_AES_GCM_128;
  115. gcm->key_size = SRTP_AES_128_KEY_LEN;
  116. gcm->tag_len = tlen;
  117. break;
  118. case SRTP_AES_GCM_256_KEY_LEN_WSALT:
  119. (*c)->type = &srtp_aes_gcm_256;
  120. (*c)->algorithm = SRTP_AES_GCM_256;
  121. gcm->key_size = SRTP_AES_256_KEY_LEN;
  122. gcm->tag_len = tlen;
  123. break;
  124. }
  125. /* set key size */
  126. (*c)->key_len = key_len;
  127. return (srtp_err_status_ok);
  128. }
  129. /*
  130. * This function deallocates a GCM session
  131. */
  132. static srtp_err_status_t srtp_aes_gcm_openssl_dealloc(srtp_cipher_t *c)
  133. {
  134. srtp_aes_gcm_ctx_t *ctx;
  135. ctx = (srtp_aes_gcm_ctx_t *)c->state;
  136. if (ctx) {
  137. EVP_CIPHER_CTX_free(ctx->ctx);
  138. /* zeroize the key material */
  139. octet_string_set_to_zero(ctx, sizeof(srtp_aes_gcm_ctx_t));
  140. srtp_crypto_free(ctx);
  141. }
  142. /* free memory */
  143. srtp_crypto_free(c);
  144. return (srtp_err_status_ok);
  145. }
  146. /*
  147. * aes_gcm_openssl_context_init(...) initializes the aes_gcm_context
  148. * using the value in key[].
  149. *
  150. * the key is the secret key
  151. */
  152. static srtp_err_status_t srtp_aes_gcm_openssl_context_init(void *cv,
  153. const uint8_t *key)
  154. {
  155. srtp_aes_gcm_ctx_t *c = (srtp_aes_gcm_ctx_t *)cv;
  156. const EVP_CIPHER *evp;
  157. c->dir = srtp_direction_any;
  158. debug_print(srtp_mod_aes_gcm, "key: %s",
  159. srtp_octet_string_hex_string(key, c->key_size));
  160. switch (c->key_size) {
  161. case SRTP_AES_256_KEY_LEN:
  162. evp = EVP_aes_256_gcm();
  163. break;
  164. case SRTP_AES_128_KEY_LEN:
  165. evp = EVP_aes_128_gcm();
  166. break;
  167. default:
  168. return (srtp_err_status_bad_param);
  169. break;
  170. }
  171. EVP_CIPHER_CTX_cleanup(c->ctx);
  172. if (!EVP_CipherInit_ex(c->ctx, evp, NULL, key, NULL, 0)) {
  173. return (srtp_err_status_init_fail);
  174. }
  175. return (srtp_err_status_ok);
  176. }
  177. /*
  178. * aes_gcm_openssl_set_iv(c, iv) sets the counter value to the exor of iv with
  179. * the offset
  180. */
  181. static srtp_err_status_t srtp_aes_gcm_openssl_set_iv(
  182. void *cv,
  183. uint8_t *iv,
  184. srtp_cipher_direction_t direction)
  185. {
  186. srtp_aes_gcm_ctx_t *c = (srtp_aes_gcm_ctx_t *)cv;
  187. if (direction != srtp_direction_encrypt &&
  188. direction != srtp_direction_decrypt) {
  189. return (srtp_err_status_bad_param);
  190. }
  191. c->dir = direction;
  192. debug_print(srtp_mod_aes_gcm, "setting iv: %s",
  193. srtp_octet_string_hex_string(iv, 12));
  194. if (!EVP_CIPHER_CTX_ctrl(c->ctx, EVP_CTRL_GCM_SET_IVLEN, 12, 0)) {
  195. return (srtp_err_status_init_fail);
  196. }
  197. if (!EVP_CipherInit_ex(c->ctx, NULL, NULL, NULL, iv,
  198. (c->dir == srtp_direction_encrypt ? 1 : 0))) {
  199. return (srtp_err_status_init_fail);
  200. }
  201. return (srtp_err_status_ok);
  202. }
  203. /*
  204. * This function processes the AAD
  205. *
  206. * Parameters:
  207. * c Crypto context
  208. * aad Additional data to process for AEAD cipher suites
  209. * aad_len length of aad buffer
  210. */
  211. static srtp_err_status_t srtp_aes_gcm_openssl_set_aad(void *cv,
  212. const uint8_t *aad,
  213. uint32_t aad_len)
  214. {
  215. srtp_aes_gcm_ctx_t *c = (srtp_aes_gcm_ctx_t *)cv;
  216. int rv;
  217. debug_print(srtp_mod_aes_gcm, "setting AAD: %s",
  218. srtp_octet_string_hex_string(aad, aad_len));
  219. /*
  220. * EVP_CTRL_GCM_SET_TAG can only be used when decrypting
  221. */
  222. if (c->dir == srtp_direction_decrypt) {
  223. /*
  224. * Set dummy tag, OpenSSL requires the Tag to be set before
  225. * processing AAD
  226. */
  227. /*
  228. * OpenSSL never write to address pointed by the last parameter of
  229. * EVP_CIPHER_CTX_ctrl while EVP_CTRL_GCM_SET_TAG (in reality,
  230. * OpenSSL copy its content to the context), so we can make
  231. * aad read-only in this function and all its wrappers.
  232. */
  233. unsigned char dummy_tag[GCM_AUTH_TAG_LEN];
  234. memset(dummy_tag, 0x0, GCM_AUTH_TAG_LEN);
  235. if (!EVP_CIPHER_CTX_ctrl(c->ctx, EVP_CTRL_GCM_SET_TAG, c->tag_len,
  236. &dummy_tag)) {
  237. return (srtp_err_status_algo_fail);
  238. }
  239. }
  240. rv = EVP_Cipher(c->ctx, NULL, aad, aad_len);
  241. if (rv != aad_len) {
  242. return (srtp_err_status_algo_fail);
  243. } else {
  244. return (srtp_err_status_ok);
  245. }
  246. }
  247. /*
  248. * This function encrypts a buffer using AES GCM mode
  249. *
  250. * Parameters:
  251. * c Crypto context
  252. * buf data to encrypt
  253. * enc_len length of encrypt buffer
  254. */
  255. static srtp_err_status_t srtp_aes_gcm_openssl_encrypt(void *cv,
  256. unsigned char *buf,
  257. unsigned int *enc_len)
  258. {
  259. srtp_aes_gcm_ctx_t *c = (srtp_aes_gcm_ctx_t *)cv;
  260. if (c->dir != srtp_direction_encrypt && c->dir != srtp_direction_decrypt) {
  261. return (srtp_err_status_bad_param);
  262. }
  263. /*
  264. * Encrypt the data
  265. */
  266. EVP_Cipher(c->ctx, buf, buf, *enc_len);
  267. return (srtp_err_status_ok);
  268. }
  269. /*
  270. * This function calculates and returns the GCM tag for a given context.
  271. * This should be called after encrypting the data. The *len value
  272. * is increased by the tag size. The caller must ensure that *buf has
  273. * enough room to accept the appended tag.
  274. *
  275. * Parameters:
  276. * c Crypto context
  277. * buf data to encrypt
  278. * len length of encrypt buffer
  279. */
  280. static srtp_err_status_t srtp_aes_gcm_openssl_get_tag(void *cv,
  281. uint8_t *buf,
  282. uint32_t *len)
  283. {
  284. srtp_aes_gcm_ctx_t *c = (srtp_aes_gcm_ctx_t *)cv;
  285. /*
  286. * Calculate the tag
  287. */
  288. EVP_Cipher(c->ctx, NULL, NULL, 0);
  289. /*
  290. * Retreive the tag
  291. */
  292. if (!EVP_CIPHER_CTX_ctrl(c->ctx, EVP_CTRL_GCM_GET_TAG, c->tag_len, buf)) {
  293. return (srtp_err_status_algo_fail);
  294. }
  295. /*
  296. * Increase encryption length by desired tag size
  297. */
  298. *len = c->tag_len;
  299. return (srtp_err_status_ok);
  300. }
  301. /*
  302. * This function decrypts a buffer using AES GCM mode
  303. *
  304. * Parameters:
  305. * c Crypto context
  306. * buf data to encrypt
  307. * enc_len length of encrypt buffer
  308. */
  309. static srtp_err_status_t srtp_aes_gcm_openssl_decrypt(void *cv,
  310. unsigned char *buf,
  311. unsigned int *enc_len)
  312. {
  313. srtp_aes_gcm_ctx_t *c = (srtp_aes_gcm_ctx_t *)cv;
  314. if (c->dir != srtp_direction_encrypt && c->dir != srtp_direction_decrypt) {
  315. return (srtp_err_status_bad_param);
  316. }
  317. /*
  318. * Set the tag before decrypting
  319. */
  320. if (!EVP_CIPHER_CTX_ctrl(c->ctx, EVP_CTRL_GCM_SET_TAG, c->tag_len,
  321. buf + (*enc_len - c->tag_len))) {
  322. return (srtp_err_status_auth_fail);
  323. }
  324. EVP_Cipher(c->ctx, buf, buf, *enc_len - c->tag_len);
  325. /*
  326. * Check the tag
  327. */
  328. if (EVP_Cipher(c->ctx, NULL, NULL, 0)) {
  329. return (srtp_err_status_auth_fail);
  330. }
  331. /*
  332. * Reduce the buffer size by the tag length since the tag
  333. * is not part of the original payload
  334. */
  335. *enc_len -= c->tag_len;
  336. return (srtp_err_status_ok);
  337. }
  338. /*
  339. * Name of this crypto engine
  340. */
  341. static const char srtp_aes_gcm_128_openssl_description[] =
  342. "AES-128 GCM using openssl";
  343. static const char srtp_aes_gcm_256_openssl_description[] =
  344. "AES-256 GCM using openssl";
  345. /*
  346. * This is the vector function table for this crypto engine.
  347. */
  348. const srtp_cipher_type_t srtp_aes_gcm_128 = {
  349. srtp_aes_gcm_openssl_alloc,
  350. srtp_aes_gcm_openssl_dealloc,
  351. srtp_aes_gcm_openssl_context_init,
  352. srtp_aes_gcm_openssl_set_aad,
  353. srtp_aes_gcm_openssl_encrypt,
  354. srtp_aes_gcm_openssl_decrypt,
  355. srtp_aes_gcm_openssl_set_iv,
  356. srtp_aes_gcm_openssl_get_tag,
  357. srtp_aes_gcm_128_openssl_description,
  358. &srtp_aes_gcm_128_test_case_0,
  359. SRTP_AES_GCM_128
  360. };
  361. /*
  362. * This is the vector function table for this crypto engine.
  363. */
  364. const srtp_cipher_type_t srtp_aes_gcm_256 = {
  365. srtp_aes_gcm_openssl_alloc,
  366. srtp_aes_gcm_openssl_dealloc,
  367. srtp_aes_gcm_openssl_context_init,
  368. srtp_aes_gcm_openssl_set_aad,
  369. srtp_aes_gcm_openssl_encrypt,
  370. srtp_aes_gcm_openssl_decrypt,
  371. srtp_aes_gcm_openssl_set_iv,
  372. srtp_aes_gcm_openssl_get_tag,
  373. srtp_aes_gcm_256_openssl_description,
  374. &srtp_aes_gcm_256_test_case_0,
  375. SRTP_AES_GCM_256
  376. };