commit 76e10ee6b9fbd5a0372f6d04e432c78aa560e9f9 Author: Nick Mathewson nickm@torproject.org Date: Mon Jul 16 09:49:05 2018 -0400
Use NSS for AES_CTR. --- src/lib/crypt_ops/aes_nss.c | 106 +++++++++++++++++++++++++++++ src/lib/crypt_ops/{aes.c => aes_openssl.c} | 4 +- src/lib/crypt_ops/include.am | 6 +- 3 files changed, 113 insertions(+), 3 deletions(-)
diff --git a/src/lib/crypt_ops/aes_nss.c b/src/lib/crypt_ops/aes_nss.c new file mode 100644 index 000000000..272edc559 --- /dev/null +++ b/src/lib/crypt_ops/aes_nss.c @@ -0,0 +1,106 @@ +/* Copyright (c) 2001, Matej Pfajfar. + * Copyright (c) 2001-2004, Roger Dingledine. + * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson. + * Copyright (c) 2007-2018, The Tor Project, Inc. */ +/* See LICENSE for licensing information */ + +/** + * \file aes_nss.c + * \brief Use NSS to implement AES_CTR. + **/ + +#include "orconfig.h" +#include "lib/crypt_ops/aes.h" +#include "lib/crypt_ops/crypto_nss_mgt.h" +#include "lib/crypt_ops/crypto_util.h" +#include "lib/log/util_bug.h" + +DISABLE_GCC_WARNING(strict-prototypes) +#include <pk11pub.h> +#include <secerr.h> +ENABLE_GCC_WARNING(strict-prototypes) + +aes_cnt_cipher_t * +aes_new_cipher(const uint8_t *key, const uint8_t *iv, + int key_bits) +{ + const CK_MECHANISM_TYPE ckm = CKM_AES_CTR; + SECItem keyItem = { .type = siBuffer, + .data = (unsigned char *)key, + .len = (key_bits / 8) }; + CK_AES_CTR_PARAMS params; + params.ulCounterBits = 128; + memcpy(params.cb, iv, 16); + SECItem ivItem = { .type = siBuffer, + .data = (unsigned char *)¶ms, + .len = sizeof(params) }; + PK11SlotInfo *slot = NULL; + PK11SymKey *keyObj = NULL; + SECItem *ivObj = NULL; + PK11Context *result = NULL; + + slot = PK11_GetBestSlot(ckm, NULL); + if (!slot) + goto err; + + keyObj = PK11_ImportSymKey(slot, ckm, PK11_OriginUnwrap, + CKA_ENCRYPT, &keyItem, NULL); + if (!keyObj) + goto err; + + ivObj = PK11_ParamFromIV(ckm, &ivItem); + if (!ivObj) + goto err; + + PORT_SetError(SEC_ERROR_IO); + result = PK11_CreateContextBySymKey(ckm, CKA_ENCRYPT, keyObj, ivObj); + + err: + memwipe(¶ms, 0, sizeof(params)); + if (ivObj) + SECITEM_FreeItem(ivObj, PR_TRUE); + if (keyObj) + PK11_FreeSymKey(keyObj); + if (slot) + PK11_FreeSlot(slot); + + tor_assert(result); + return (aes_cnt_cipher_t *)result; +} + +void +aes_cipher_free_(aes_cnt_cipher_t *cipher) +{ + if (!cipher) + return; + PK11_DestroyContext((PK11Context*) cipher, PR_TRUE); +} + +void +aes_crypt_inplace(aes_cnt_cipher_t *cipher, char *data_, size_t len_) +{ + tor_assert(len_ <= INT_MAX); + + SECStatus s; + PK11Context *ctx = (PK11Context*)cipher; + unsigned char *data = (unsigned char *)data_; + int len = (int) len_; + int result_len = 0; + + s = PK11_CipherOp(ctx, data, &result_len, len, data, len); + tor_assert(s == SECSuccess); + tor_assert(result_len == len); +} + +int +evaluate_evp_for_aes(int force_value) +{ + (void)force_value; + return 0; +} + +int +evaluate_ctr_for_aes(void) +{ + return 0; +} diff --git a/src/lib/crypt_ops/aes.c b/src/lib/crypt_ops/aes_openssl.c similarity index 99% rename from src/lib/crypt_ops/aes.c rename to src/lib/crypt_ops/aes_openssl.c index ff9d4d855..387f5d3df 100644 --- a/src/lib/crypt_ops/aes.c +++ b/src/lib/crypt_ops/aes_openssl.c @@ -5,8 +5,8 @@ /* See LICENSE for licensing information */
/** - * \file aes.c - * \brief Implements a counter-mode stream cipher on top of AES. + * \file aes_openssl.c + * \brief Use OpenSSL to implement AES_CTR. **/
#include "orconfig.h" diff --git a/src/lib/crypt_ops/include.am b/src/lib/crypt_ops/include.am index e96d6b0a5..3ebb0b0f6 100644 --- a/src/lib/crypt_ops/include.am +++ b/src/lib/crypt_ops/include.am @@ -6,7 +6,6 @@ noinst_LIBRARIES += src/lib/libtor-crypt-ops-testing.a endif
src_lib_libtor_crypt_ops_a_SOURCES = \ - src/lib/crypt_ops/aes.c \ src/lib/crypt_ops/crypto_cipher.c \ src/lib/crypt_ops/crypto_curve25519.c \ src/lib/crypt_ops/crypto_dh.c \ @@ -24,8 +23,13 @@ src_lib_libtor_crypt_ops_a_SOURCES = \
if USE_NSS src_lib_libtor_crypt_ops_a_SOURCES += \ + src/lib/crypt_ops/aes_nss.c \ src/lib/crypt_ops/crypto_nss_mgt.c +else +src_lib_libtor_crypt_ops_a_SOURCES += \ + src/lib/crypt_ops/aes_openssl.c endif + if USE_OPENSSL src_lib_libtor_crypt_ops_a_SOURCES += \ src/lib/crypt_ops/crypto_openssl_mgt.c