2015-03-24 20:43:20 +01:00
|
|
|
/*
|
|
|
|
Copyright (c) 2014 Google Inc.
|
|
|
|
Copyright (c) 2014, 2015 MariaDB Corporation
|
|
|
|
|
|
|
|
This program is free software; you can redistribute it and/or modify
|
|
|
|
it under the terms of the GNU General Public License as published by
|
|
|
|
the Free Software Foundation; version 2 of the License.
|
|
|
|
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
GNU General Public License for more details.
|
|
|
|
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
|
|
along with this program; if not, write to the Free Software
|
|
|
|
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
|
|
|
|
|
2014-12-22 15:53:17 +01:00
|
|
|
#include <my_global.h>
|
2015-09-04 10:32:52 +02:00
|
|
|
#include <string.h>
|
2014-12-22 15:53:17 +01:00
|
|
|
#include <my_crypt.h>
|
|
|
|
|
2015-03-25 09:47:26 +01:00
|
|
|
#ifdef HAVE_YASSL
|
2015-09-04 10:32:52 +02:00
|
|
|
#include "yassl.cc"
|
2015-03-25 09:47:26 +01:00
|
|
|
#else
|
2015-09-04 10:32:52 +02:00
|
|
|
|
2014-12-22 15:53:17 +01:00
|
|
|
#include <openssl/evp.h>
|
|
|
|
#include <openssl/aes.h>
|
2015-06-01 15:51:25 +02:00
|
|
|
#include <openssl/err.h>
|
2014-12-22 15:53:17 +01:00
|
|
|
|
2015-12-21 21:24:22 +01:00
|
|
|
#ifdef HAVE_ERR_remove_thread_state
|
|
|
|
#define ERR_remove_state(X) ERR_remove_thread_state(NULL)
|
|
|
|
#endif
|
|
|
|
|
2015-03-25 09:47:26 +01:00
|
|
|
#endif
|
2014-12-22 15:53:17 +01:00
|
|
|
|
2015-09-04 10:32:52 +02:00
|
|
|
class MyCTX
|
2015-03-24 13:52:43 +01:00
|
|
|
{
|
2015-09-04 10:32:52 +02:00
|
|
|
public:
|
|
|
|
EVP_CIPHER_CTX ctx;
|
|
|
|
MyCTX() { EVP_CIPHER_CTX_init(&ctx); }
|
|
|
|
virtual ~MyCTX() { EVP_CIPHER_CTX_cleanup(&ctx); ERR_remove_state(0); }
|
2015-03-25 09:47:26 +01:00
|
|
|
|
2015-09-04 10:32:52 +02:00
|
|
|
virtual int init(const EVP_CIPHER *cipher, int encrypt, const uchar *key,
|
|
|
|
uint klen, const uchar *iv, uint ivlen)
|
2015-03-25 09:47:26 +01:00
|
|
|
{
|
2015-05-10 20:57:16 +02:00
|
|
|
if (unlikely(!cipher))
|
|
|
|
return MY_AES_BAD_KEYSIZE;
|
2015-03-25 16:11:16 +01:00
|
|
|
|
2015-09-04 10:32:52 +02:00
|
|
|
if (!EVP_CipherInit_ex(&ctx, cipher, NULL, key, iv, encrypt))
|
2015-05-10 20:57:16 +02:00
|
|
|
return MY_AES_OPENSSL_ERROR;
|
2015-03-24 20:43:20 +01:00
|
|
|
|
2015-09-04 10:32:52 +02:00
|
|
|
DBUG_ASSERT(EVP_CIPHER_CTX_key_length(&ctx) == (int)klen);
|
|
|
|
DBUG_ASSERT(EVP_CIPHER_CTX_iv_length(&ctx) <= (int)ivlen);
|
2015-03-24 20:43:20 +01:00
|
|
|
|
2015-09-04 10:32:52 +02:00
|
|
|
return MY_AES_OK;
|
|
|
|
}
|
|
|
|
virtual int update(const uchar *src, uint slen, uchar *dst, uint *dlen)
|
|
|
|
{
|
|
|
|
if (!EVP_CipherUpdate(&ctx, dst, (int*)dlen, src, slen))
|
2015-05-10 20:57:16 +02:00
|
|
|
return MY_AES_OPENSSL_ERROR;
|
2015-09-04 10:32:52 +02:00
|
|
|
return MY_AES_OK;
|
|
|
|
}
|
|
|
|
virtual int finish(uchar *dst, uint *dlen)
|
|
|
|
{
|
|
|
|
if (!EVP_CipherFinal_ex(&ctx, dst, (int*)dlen))
|
2015-05-10 20:57:16 +02:00
|
|
|
return MY_AES_BAD_DATA;
|
2015-09-04 10:32:52 +02:00
|
|
|
return MY_AES_OK;
|
|
|
|
}
|
|
|
|
};
|
2015-03-24 20:43:20 +01:00
|
|
|
|
2015-09-04 10:32:52 +02:00
|
|
|
class MyCTX_nopad : public MyCTX
|
|
|
|
{
|
|
|
|
public:
|
|
|
|
const uchar *key;
|
|
|
|
int klen;
|
|
|
|
|
|
|
|
MyCTX_nopad() : MyCTX() { }
|
|
|
|
~MyCTX_nopad() { }
|
|
|
|
|
|
|
|
int init(const EVP_CIPHER *cipher, int encrypt, const uchar *key, uint klen,
|
|
|
|
const uchar *iv, uint ivlen)
|
|
|
|
{
|
|
|
|
compile_time_assert(MY_AES_CTX_SIZE >= sizeof(MyCTX_nopad));
|
|
|
|
this->key= key;
|
|
|
|
this->klen= klen;
|
|
|
|
int res= MyCTX::init(cipher, encrypt, key, klen, iv, ivlen);
|
|
|
|
memcpy(ctx.oiv, iv, ivlen); // in ECB mode OpenSSL doesn't do that itself
|
|
|
|
EVP_CIPHER_CTX_set_padding(&ctx, 0);
|
|
|
|
return res;
|
2015-05-10 20:57:16 +02:00
|
|
|
}
|
2015-03-25 09:47:26 +01:00
|
|
|
|
2015-09-04 10:32:52 +02:00
|
|
|
int finish(uchar *dst, uint *dlen)
|
2015-03-24 20:43:20 +01:00
|
|
|
{
|
2015-09-04 10:32:52 +02:00
|
|
|
if (ctx.buf_len)
|
2015-05-14 10:35:30 +02:00
|
|
|
{
|
|
|
|
/*
|
|
|
|
Not much we can do, block ciphers cannot encrypt data that aren't
|
|
|
|
a multiple of the block length. At least not without padding.
|
|
|
|
Let's do something CTR-like for the last partial block.
|
|
|
|
*/
|
|
|
|
uchar mask[MY_AES_BLOCK_SIZE];
|
|
|
|
uint mlen;
|
|
|
|
|
2015-09-04 10:32:52 +02:00
|
|
|
my_aes_crypt(MY_AES_ECB, ENCRYPTION_FLAG_ENCRYPT | ENCRYPTION_FLAG_NOPAD,
|
|
|
|
ctx.oiv, sizeof(mask), mask, &mlen, key, klen, 0, 0);
|
2015-05-14 10:35:30 +02:00
|
|
|
DBUG_ASSERT(mlen == sizeof(mask));
|
|
|
|
|
2015-09-04 10:32:52 +02:00
|
|
|
for (int i=0; i < ctx.buf_len; i++)
|
|
|
|
dst[i]= ctx.buf[i] ^ mask[i];
|
2015-05-14 10:35:30 +02:00
|
|
|
}
|
2015-09-04 10:32:52 +02:00
|
|
|
*dlen= ctx.buf_len;
|
|
|
|
return MY_AES_OK;
|
2015-03-24 20:43:20 +01:00
|
|
|
}
|
2015-09-04 10:32:52 +02:00
|
|
|
};
|
2015-03-24 20:43:20 +01:00
|
|
|
|
2015-09-04 10:32:52 +02:00
|
|
|
#define make_aes_dispatcher(mode) \
|
|
|
|
static inline const EVP_CIPHER *aes_ ## mode(uint klen) \
|
|
|
|
{ \
|
|
|
|
switch (klen) { \
|
|
|
|
case 16: return EVP_aes_128_ ## mode(); \
|
|
|
|
case 24: return EVP_aes_192_ ## mode(); \
|
|
|
|
case 32: return EVP_aes_256_ ## mode(); \
|
|
|
|
default: return 0; \
|
|
|
|
} \
|
|
|
|
}
|
2015-03-25 09:47:26 +01:00
|
|
|
|
2015-09-04 10:32:52 +02:00
|
|
|
make_aes_dispatcher(ecb)
|
|
|
|
make_aes_dispatcher(cbc)
|
2015-03-25 09:47:26 +01:00
|
|
|
#ifdef HAVE_EncryptAes128Ctr
|
2015-05-10 19:57:43 +02:00
|
|
|
make_aes_dispatcher(ctr)
|
2015-03-25 09:47:26 +01:00
|
|
|
#endif /* HAVE_EncryptAes128Ctr */
|
2015-05-27 20:53:16 +02:00
|
|
|
#ifdef HAVE_EncryptAes128Gcm
|
|
|
|
make_aes_dispatcher(gcm)
|
|
|
|
|
|
|
|
/*
|
|
|
|
special implementation for GCM; to fit OpenSSL AES-GCM into the
|
|
|
|
existing my_aes_* API it does the following:
|
|
|
|
- IV tail (over 12 bytes) goes to AAD
|
|
|
|
- the tag is appended to the ciphertext
|
|
|
|
*/
|
|
|
|
|
2015-09-04 10:32:52 +02:00
|
|
|
class MyCTX_gcm : public MyCTX
|
|
|
|
{
|
|
|
|
public:
|
|
|
|
const uchar *aad;
|
|
|
|
int aadlen;
|
|
|
|
MyCTX_gcm() : MyCTX() { }
|
|
|
|
~MyCTX_gcm() { }
|
|
|
|
|
|
|
|
int init(const EVP_CIPHER *cipher, int encrypt, const uchar *key, uint klen,
|
|
|
|
const uchar *iv, uint ivlen)
|
2015-05-27 20:53:16 +02:00
|
|
|
{
|
2015-09-04 10:32:52 +02:00
|
|
|
compile_time_assert(MY_AES_CTX_SIZE >= sizeof(MyCTX_gcm));
|
|
|
|
int res= MyCTX::init(cipher, encrypt, key, klen, iv, ivlen);
|
|
|
|
int real_ivlen= EVP_CIPHER_CTX_iv_length(&ctx);
|
|
|
|
aad= iv + real_ivlen;
|
|
|
|
aadlen= ivlen - real_ivlen;
|
|
|
|
return res;
|
2015-05-27 20:53:16 +02:00
|
|
|
}
|
|
|
|
|
2015-09-04 10:32:52 +02:00
|
|
|
int update(const uchar *src, uint slen, uchar *dst, uint *dlen)
|
2015-05-27 20:53:16 +02:00
|
|
|
{
|
2015-09-04 10:32:52 +02:00
|
|
|
/*
|
|
|
|
note that this GCM class cannot do streaming decryption, because
|
|
|
|
it needs the tag (which is located at the end of encrypted data)
|
|
|
|
before decrypting the data. it can encrypt data piecewise, like, first
|
|
|
|
half, then the second half, but it must decrypt all at once
|
|
|
|
*/
|
|
|
|
if (!ctx.encrypt)
|
|
|
|
{
|
|
|
|
slen-= MY_AES_BLOCK_SIZE;
|
|
|
|
if(!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, MY_AES_BLOCK_SIZE,
|
|
|
|
(void*)(src + slen)))
|
|
|
|
return MY_AES_OPENSSL_ERROR;
|
|
|
|
}
|
|
|
|
int unused;
|
|
|
|
if (aadlen && !EVP_CipherUpdate(&ctx, NULL, &unused, aad, aadlen))
|
2015-05-27 20:53:16 +02:00
|
|
|
return MY_AES_OPENSSL_ERROR;
|
2015-09-04 10:32:52 +02:00
|
|
|
aadlen= 0;
|
|
|
|
return MyCTX::update(src, slen, dst, dlen);
|
2015-05-27 20:53:16 +02:00
|
|
|
}
|
|
|
|
|
2015-09-04 10:32:52 +02:00
|
|
|
int finish(uchar *dst, uint *dlen)
|
2015-05-27 20:53:16 +02:00
|
|
|
{
|
2015-09-04 10:32:52 +02:00
|
|
|
int fin;
|
|
|
|
if (!EVP_CipherFinal_ex(&ctx, dst, &fin))
|
|
|
|
return MY_AES_BAD_DATA;
|
|
|
|
DBUG_ASSERT(fin == 0);
|
2015-05-27 20:53:16 +02:00
|
|
|
|
2015-09-04 10:32:52 +02:00
|
|
|
if (ctx.encrypt)
|
|
|
|
{
|
|
|
|
if(!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, MY_AES_BLOCK_SIZE, dst))
|
|
|
|
return MY_AES_OPENSSL_ERROR;
|
|
|
|
*dlen= MY_AES_BLOCK_SIZE;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
*dlen= 0;
|
|
|
|
return MY_AES_OK;
|
|
|
|
}
|
|
|
|
};
|
2015-05-27 20:53:16 +02:00
|
|
|
|
2015-09-04 10:32:52 +02:00
|
|
|
#endif
|
2015-05-27 20:53:16 +02:00
|
|
|
|
2015-09-04 10:32:52 +02:00
|
|
|
const EVP_CIPHER *(*ciphers[])(uint)= {
|
|
|
|
aes_ecb, aes_cbc
|
|
|
|
#ifdef HAVE_EncryptAes128Ctr
|
|
|
|
, aes_ctr
|
|
|
|
#ifdef HAVE_EncryptAes128Gcm
|
|
|
|
, aes_gcm
|
|
|
|
#endif
|
2015-05-27 20:53:16 +02:00
|
|
|
#endif
|
2015-09-04 10:32:52 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
extern "C" {
|
2015-05-27 20:53:16 +02:00
|
|
|
|
2015-09-04 10:32:52 +02:00
|
|
|
int my_aes_crypt_init(void *ctx, enum my_aes_mode mode, int flags,
|
|
|
|
const unsigned char* key, unsigned int klen,
|
|
|
|
const unsigned char* iv, unsigned int ivlen)
|
2014-12-22 15:53:17 +01:00
|
|
|
{
|
2015-09-04 10:32:52 +02:00
|
|
|
#ifdef HAVE_EncryptAes128Ctr
|
|
|
|
#ifdef HAVE_EncryptAes128Gcm
|
|
|
|
if (mode == MY_AES_GCM)
|
|
|
|
if (flags & ENCRYPTION_FLAG_NOPAD)
|
|
|
|
return MY_AES_OPENSSL_ERROR;
|
|
|
|
else
|
|
|
|
new (ctx) MyCTX_gcm();
|
|
|
|
else
|
|
|
|
#endif
|
|
|
|
if (mode == MY_AES_CTR)
|
|
|
|
new (ctx) MyCTX();
|
|
|
|
else
|
|
|
|
#endif
|
|
|
|
if (flags & ENCRYPTION_FLAG_NOPAD)
|
|
|
|
new (ctx) MyCTX_nopad();
|
|
|
|
else
|
|
|
|
new (ctx) MyCTX();
|
|
|
|
return ((MyCTX*)ctx)->init(ciphers[mode](klen), flags & 1,
|
|
|
|
key, klen, iv, ivlen);
|
2014-12-22 15:53:17 +01:00
|
|
|
}
|
|
|
|
|
2015-09-04 10:32:52 +02:00
|
|
|
int my_aes_crypt_update(void *ctx, const uchar *src, uint slen,
|
|
|
|
uchar *dst, uint *dlen)
|
2014-12-22 15:53:17 +01:00
|
|
|
{
|
2015-09-04 10:32:52 +02:00
|
|
|
return ((MyCTX*)ctx)->update(src, slen, dst, dlen);
|
2015-03-24 20:43:20 +01:00
|
|
|
}
|
|
|
|
|
2015-09-04 10:32:52 +02:00
|
|
|
int my_aes_crypt_finish(void *ctx, uchar *dst, uint *dlen)
|
2015-03-24 20:43:20 +01:00
|
|
|
{
|
2015-09-04 10:32:52 +02:00
|
|
|
int res= ((MyCTX*)ctx)->finish(dst, dlen);
|
|
|
|
((MyCTX*)ctx)->~MyCTX();
|
|
|
|
return res;
|
2015-03-24 20:43:20 +01:00
|
|
|
}
|
|
|
|
|
2015-09-04 10:32:52 +02:00
|
|
|
int my_aes_crypt(enum my_aes_mode mode, int flags,
|
|
|
|
const uchar *src, uint slen, uchar *dst, uint *dlen,
|
|
|
|
const uchar *key, uint klen, const uchar *iv, uint ivlen)
|
2015-03-24 20:43:20 +01:00
|
|
|
{
|
2015-09-04 10:32:52 +02:00
|
|
|
void *ctx= alloca(MY_AES_CTX_SIZE);
|
|
|
|
int res1, res2;
|
|
|
|
uint d1, d2;
|
|
|
|
if ((res1= my_aes_crypt_init(ctx, mode, flags, key, klen, iv, ivlen)))
|
|
|
|
return res1;
|
|
|
|
res1= my_aes_crypt_update(ctx, src, slen, dst, &d1);
|
|
|
|
res2= my_aes_crypt_finish(ctx, dst + d1, &d2);
|
|
|
|
*dlen= d1 + d2;
|
|
|
|
return res1 ? res1 : res2;
|
2014-12-22 15:53:17 +01:00
|
|
|
}
|
|
|
|
|
2017-04-18 18:37:57 +02:00
|
|
|
|
|
|
|
/*
|
|
|
|
calculate the length of the cyphertext from the length of the plaintext
|
|
|
|
for different AES encryption modes with padding enabled.
|
|
|
|
Without padding (ENCRYPTION_FLAG_NOPAD) cyphertext has the same length
|
|
|
|
as the plaintext
|
|
|
|
*/
|
|
|
|
unsigned int my_aes_get_size(enum my_aes_mode mode __attribute__((unused)), unsigned int source_length)
|
|
|
|
{
|
|
|
|
#ifdef HAVE_EncryptAes128Ctr
|
|
|
|
if (mode == MY_AES_CTR)
|
|
|
|
return source_length;
|
|
|
|
#ifdef HAVE_EncryptAes128Gcm
|
|
|
|
if (mode == MY_AES_GCM)
|
|
|
|
return source_length + MY_AES_BLOCK_SIZE;
|
|
|
|
#endif
|
|
|
|
#endif
|
|
|
|
return (source_length / MY_AES_BLOCK_SIZE + 1) * MY_AES_BLOCK_SIZE;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
unsigned int my_aes_ctx_size(enum my_aes_mode)
|
|
|
|
{
|
|
|
|
return MY_AES_CTX_SIZE;
|
|
|
|
}
|
|
|
|
|
2015-09-04 10:32:52 +02:00
|
|
|
#ifdef HAVE_YASSL
|
2014-12-22 15:53:17 +01:00
|
|
|
#include <random.hpp>
|
2015-03-24 13:52:43 +01:00
|
|
|
int my_random_bytes(uchar* buf, int num)
|
2014-12-22 15:53:17 +01:00
|
|
|
{
|
|
|
|
TaoCrypt::RandomNumberGenerator rand;
|
|
|
|
rand.GenerateBlock((TaoCrypt::byte*) buf, num);
|
2015-04-01 22:15:11 +02:00
|
|
|
return MY_AES_OK;
|
2014-12-22 15:53:17 +01:00
|
|
|
}
|
2015-09-04 10:32:52 +02:00
|
|
|
#else
|
2015-01-08 00:25:05 +01:00
|
|
|
#include <openssl/rand.h>
|
|
|
|
|
2015-09-04 10:32:52 +02:00
|
|
|
int my_random_bytes(uchar *buf, int num)
|
2014-12-22 15:53:17 +01:00
|
|
|
{
|
|
|
|
/*
|
|
|
|
Unfortunately RAND_bytes manual page does not provide any guarantees
|
|
|
|
in relation to blocking behavior. Here we explicitly use SSLeay random
|
|
|
|
instead of whatever random engine is currently set in OpenSSL. That way
|
|
|
|
we are guaranteed to have a non-blocking random.
|
|
|
|
*/
|
2015-09-04 10:32:52 +02:00
|
|
|
RAND_METHOD *rand = RAND_SSLeay();
|
2014-12-22 15:53:17 +01:00
|
|
|
if (rand == NULL || rand->bytes(buf, num) != 1)
|
2015-04-01 22:15:11 +02:00
|
|
|
return MY_AES_OPENSSL_ERROR;
|
|
|
|
return MY_AES_OK;
|
2014-12-22 15:53:17 +01:00
|
|
|
}
|
2015-09-04 10:32:52 +02:00
|
|
|
#endif
|
2014-12-22 15:53:17 +01:00
|
|
|
|
2015-04-01 22:15:11 +02:00
|
|
|
}
|
2015-09-04 10:32:52 +02:00
|
|
|
|