FIPS140 mode is detected on run-time.
[gnutls:gnutls.git] / lib / nettle / cipher.c
1 /*
2  * Copyright (C) 2010-2012 Free Software Foundation, Inc.
3  *
4  * Author: Nikos Mavrogiannopoulos
5  *
6  * This file is part of GNUTLS.
7  *
8  * The GNUTLS library is free software; you can redistribute it and/or
9  * modify it under the terms of the GNU Lesser General Public License
10  * as published by the Free Software Foundation; either version 2.1 of
11  * the License, or (at your option) any later version.
12  *
13  * This library is distributed in the hope that it will be useful, but
14  * WITHOUT ANY WARRANTY; without even the implied warranty of
15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
16  * Lesser General Public License for more details.
17  *
18  * You should have received a copy of the GNU Lesser General Public License
19  * along with this program.  If not, see <http://www.gnu.org/licenses/>
20  *
21  */
22
23 /* Here lie nettle's wrappers for cipher support.
24  */
25
26 #include <gnutls_int.h>
27 #include <gnutls_errors.h>
28 #include <gnutls_cipher_int.h>
29 #include <nettle/aes.h>
30 #include <nettle/camellia.h>
31 #include <nettle/arcfour.h>
32 #include <nettle/arctwo.h>
33 #include <nettle/salsa20.h>
34 #include <nettle/des.h>
35 #include <nettle/nettle-meta.h>
36 #include <nettle/cbc.h>
37 #include <nettle/gcm.h>
38 #include <gcm-camellia.h>
39 #include <fips.h>
40
41 /* Functions that refer to the nettle library.
42  */
43
44 #define MAX_BLOCK_SIZE 32
45
46 typedef void (*encrypt_func) (void *, nettle_crypt_func, unsigned,
47                               uint8_t *, unsigned, uint8_t *,
48                               const uint8_t *);
49 typedef void (*decrypt_func) (void *, nettle_crypt_func, unsigned,
50                               uint8_t *, unsigned, uint8_t *,
51                               const uint8_t *);
52 typedef void (*auth_func) (void *, unsigned, const uint8_t *);
53
54 typedef void (*tag_func) (void *, unsigned, uint8_t *);
55
56 typedef void (*setkey_func) (void *, unsigned, const uint8_t *);
57
58 static void
59 stream_encrypt(void *ctx, nettle_crypt_func func, unsigned block_size,
60                uint8_t * iv, unsigned length, uint8_t * dst,
61                const uint8_t * src)
62 {
63         func(ctx, length, dst, src);
64 }
65
66 struct nettle_cipher_ctx {
67         union {
68                 struct aes_ctx aes;
69                 struct camellia_ctx camellia;
70                 struct arcfour_ctx arcfour;
71                 struct arctwo_ctx arctwo;
72                 struct des3_ctx des3;
73                 struct des_ctx des;
74                 struct gcm_aes_ctx aes_gcm;
75                 struct _gcm_camellia_ctx camellia_gcm;
76                 struct salsa20_ctx salsa20;
77         } ctx;
78         void *ctx_ptr;
79         uint8_t iv[MAX_BLOCK_SIZE];
80         gnutls_cipher_algorithm_t algo;
81         size_t block_size;
82         nettle_crypt_func *i_encrypt;
83         nettle_crypt_func *i_decrypt;
84         encrypt_func encrypt;
85         decrypt_func decrypt;
86         auth_func auth;
87         tag_func tag;
88         int enc;
89 };
90
91 #define GCM_DEFAULT_NONCE_SIZE 12
92
93 static void _aes_gcm_encrypt(void *_ctx, nettle_crypt_func f,
94                              unsigned block_size, uint8_t * iv,
95                              unsigned length, uint8_t * dst,
96                              const uint8_t * src)
97 {
98         gcm_aes_encrypt(_ctx, length, dst, src);
99 }
100
101 static void _aes_gcm_decrypt(void *_ctx, nettle_crypt_func f,
102                              unsigned block_size, uint8_t * iv,
103                              unsigned length, uint8_t * dst,
104                              const uint8_t * src)
105 {
106         gcm_aes_decrypt(_ctx, length, dst, src);
107 }
108
109 static void _camellia_gcm_encrypt(void *_ctx, nettle_crypt_func f,
110                                   unsigned block_size, uint8_t * iv,
111                                   unsigned length, uint8_t * dst,
112                                   const uint8_t * src)
113 {
114         _gcm_camellia_encrypt(_ctx, length, dst, src);
115 }
116
117 static void _camellia_gcm_decrypt(void *_ctx, nettle_crypt_func f,
118                                   unsigned block_size, uint8_t * iv,
119                                   unsigned length, uint8_t * dst,
120                                   const uint8_t * src)
121 {
122         _gcm_camellia_decrypt(_ctx, length, dst, src);
123 }
124
125 static int wrap_nettle_cipher_exists(gnutls_cipher_algorithm_t algo)
126 {
127         switch (algo) {
128         case GNUTLS_CIPHER_AES_128_GCM:
129         case GNUTLS_CIPHER_AES_256_GCM:
130         case GNUTLS_CIPHER_AES_128_CBC:
131         case GNUTLS_CIPHER_AES_192_CBC:
132         case GNUTLS_CIPHER_AES_256_CBC:
133         case GNUTLS_CIPHER_3DES_CBC:
134                 return 1;
135         case GNUTLS_CIPHER_CAMELLIA_128_GCM:
136         case GNUTLS_CIPHER_CAMELLIA_256_GCM:
137         case GNUTLS_CIPHER_CAMELLIA_128_CBC:
138         case GNUTLS_CIPHER_CAMELLIA_192_CBC:
139         case GNUTLS_CIPHER_CAMELLIA_256_CBC:
140         case GNUTLS_CIPHER_DES_CBC:
141         case GNUTLS_CIPHER_ARCFOUR_128:
142         case GNUTLS_CIPHER_SALSA20_256:
143         case GNUTLS_CIPHER_ESTREAM_SALSA20_256:
144         case GNUTLS_CIPHER_ARCFOUR_40:
145         case GNUTLS_CIPHER_RC2_40_CBC:
146                 if (_gnutls_fips_mode_enabled() != 0)
147                         return 0;
148                 else
149                         return 1;
150         default:
151                 return 0;
152         }
153 }
154
155 static int
156 wrap_nettle_cipher_init(gnutls_cipher_algorithm_t algo, void **_ctx,
157                         int enc)
158 {
159         struct nettle_cipher_ctx *ctx;
160
161         ctx = gnutls_calloc(1, sizeof(*ctx));
162         if (ctx == NULL) {
163                 gnutls_assert();
164                 return GNUTLS_E_MEMORY_ERROR;
165         }
166
167         ctx->algo = algo;
168         ctx->enc = enc;
169
170         switch (algo) {
171         case GNUTLS_CIPHER_AES_128_GCM:
172         case GNUTLS_CIPHER_AES_256_GCM:
173                 ctx->encrypt = _aes_gcm_encrypt;
174                 ctx->decrypt = _aes_gcm_decrypt;
175                 ctx->i_encrypt = (nettle_crypt_func *) aes_encrypt;
176                 ctx->auth = (auth_func) gcm_aes_update;
177                 ctx->tag = (tag_func) gcm_aes_digest;
178                 ctx->ctx_ptr = &ctx->ctx.aes_gcm;
179                 ctx->block_size = AES_BLOCK_SIZE;
180                 break;
181         case GNUTLS_CIPHER_AES_128_CBC:
182         case GNUTLS_CIPHER_AES_192_CBC:
183         case GNUTLS_CIPHER_AES_256_CBC:
184                 ctx->encrypt = cbc_encrypt;
185                 ctx->decrypt = cbc_decrypt;
186                 ctx->i_encrypt = (nettle_crypt_func *) aes_encrypt;
187                 ctx->i_decrypt = (nettle_crypt_func *) aes_decrypt;
188                 ctx->ctx_ptr = &ctx->ctx.aes;
189                 ctx->block_size = AES_BLOCK_SIZE;
190                 break;
191         case GNUTLS_CIPHER_3DES_CBC:
192                 ctx->encrypt = cbc_encrypt;
193                 ctx->decrypt = cbc_decrypt;
194                 ctx->i_encrypt = (nettle_crypt_func *) des3_encrypt;
195                 ctx->i_decrypt = (nettle_crypt_func *) des3_decrypt;
196                 ctx->ctx_ptr = &ctx->ctx.des3;
197                 ctx->block_size = DES3_BLOCK_SIZE;
198                 break;
199         case GNUTLS_CIPHER_CAMELLIA_128_GCM:
200         case GNUTLS_CIPHER_CAMELLIA_256_GCM:
201                 if (_gnutls_fips_mode_enabled() != 0)
202                         return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
203
204                 ctx->encrypt = _camellia_gcm_encrypt;
205                 ctx->decrypt = _camellia_gcm_decrypt;
206                 ctx->i_encrypt = (nettle_crypt_func *) camellia_crypt;
207                 ctx->auth = (auth_func) _gcm_camellia_update;
208                 ctx->tag = (tag_func) _gcm_camellia_digest;
209                 ctx->ctx_ptr = &ctx->ctx.camellia_gcm;
210                 ctx->block_size = CAMELLIA_BLOCK_SIZE;
211                 break;
212         case GNUTLS_CIPHER_CAMELLIA_128_CBC:
213         case GNUTLS_CIPHER_CAMELLIA_192_CBC:
214         case GNUTLS_CIPHER_CAMELLIA_256_CBC:
215                 if (_gnutls_fips_mode_enabled() != 0)
216                         return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
217
218                 ctx->encrypt = cbc_encrypt;
219                 ctx->decrypt = cbc_decrypt;
220                 ctx->i_encrypt = (nettle_crypt_func *) camellia_crypt;
221                 ctx->i_decrypt = (nettle_crypt_func *) camellia_crypt;
222                 ctx->ctx_ptr = &ctx->ctx.camellia;
223                 ctx->block_size = CAMELLIA_BLOCK_SIZE;
224                 break;
225         case GNUTLS_CIPHER_DES_CBC:
226                 if (_gnutls_fips_mode_enabled() != 0)
227                         return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
228
229                 ctx->encrypt = cbc_encrypt;
230                 ctx->decrypt = cbc_decrypt;
231                 ctx->i_encrypt = (nettle_crypt_func *) des_encrypt;
232                 ctx->i_decrypt = (nettle_crypt_func *) des_decrypt;
233                 ctx->ctx_ptr = &ctx->ctx.des;
234                 ctx->block_size = DES_BLOCK_SIZE;
235                 break;
236         case GNUTLS_CIPHER_ARCFOUR_128:
237         case GNUTLS_CIPHER_ARCFOUR_40:
238                 if (_gnutls_fips_mode_enabled() != 0)
239                         return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
240
241                 ctx->encrypt = stream_encrypt;
242                 ctx->decrypt = stream_encrypt;
243                 ctx->i_encrypt = (nettle_crypt_func *) arcfour_crypt;
244                 ctx->i_decrypt = (nettle_crypt_func *) arcfour_crypt;
245                 ctx->ctx_ptr = &ctx->ctx.arcfour;
246                 ctx->block_size = 1;
247                 break;
248         case GNUTLS_CIPHER_SALSA20_256:
249                 if (_gnutls_fips_mode_enabled() != 0)
250                         return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
251
252                 ctx->encrypt = stream_encrypt;
253                 ctx->decrypt = stream_encrypt;
254                 ctx->i_encrypt = (nettle_crypt_func *) salsa20_crypt;
255                 ctx->i_decrypt = (nettle_crypt_func *) salsa20_crypt;
256                 ctx->ctx_ptr = &ctx->ctx.salsa20;
257                 ctx->block_size = 1;
258                 break;
259         case GNUTLS_CIPHER_ESTREAM_SALSA20_256:
260                 if (_gnutls_fips_mode_enabled() != 0)
261                         return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
262
263                 ctx->encrypt = stream_encrypt;
264                 ctx->decrypt = stream_encrypt;
265                 ctx->i_encrypt = (nettle_crypt_func *) salsa20r12_crypt;
266                 ctx->i_decrypt = (nettle_crypt_func *) salsa20r12_crypt;
267                 ctx->ctx_ptr = &ctx->ctx.salsa20;
268                 ctx->block_size = 1;
269                 break;
270         case GNUTLS_CIPHER_RC2_40_CBC:
271                 if (_gnutls_fips_mode_enabled() != 0)
272                         return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
273
274                 ctx->encrypt = cbc_encrypt;
275                 ctx->decrypt = cbc_decrypt;
276                 ctx->i_encrypt = (nettle_crypt_func *) arctwo_encrypt;
277                 ctx->i_decrypt = (nettle_crypt_func *) arctwo_decrypt;
278                 ctx->ctx_ptr = &ctx->ctx.arctwo;
279                 ctx->block_size = ARCTWO_BLOCK_SIZE;
280                 break;
281         default:
282                 gnutls_assert();
283                 gnutls_free(ctx);
284                 return GNUTLS_E_INVALID_REQUEST;
285         }
286
287         *_ctx = ctx;
288
289         return 0;
290 }
291
292 static int
293 wrap_nettle_cipher_setkey(void *_ctx, const void *key, size_t keysize)
294 {
295         struct nettle_cipher_ctx *ctx = _ctx;
296         uint8_t des_key[DES3_KEY_SIZE];
297
298         switch (ctx->algo) {
299         case GNUTLS_CIPHER_AES_128_GCM:
300         case GNUTLS_CIPHER_AES_256_GCM:
301                 gcm_aes_set_key(&ctx->ctx.aes_gcm, keysize, key);
302                 break;
303         case GNUTLS_CIPHER_AES_128_CBC:
304         case GNUTLS_CIPHER_AES_192_CBC:
305         case GNUTLS_CIPHER_AES_256_CBC:
306                 if (ctx->enc)
307                         aes_set_encrypt_key(ctx->ctx_ptr, keysize, key);
308                 else
309                         aes_set_decrypt_key(ctx->ctx_ptr, keysize, key);
310                 break;
311         case GNUTLS_CIPHER_CAMELLIA_128_CBC:
312         case GNUTLS_CIPHER_CAMELLIA_192_CBC:
313         case GNUTLS_CIPHER_CAMELLIA_256_CBC:
314                 if (ctx->enc)
315                         camellia_set_encrypt_key(ctx->ctx_ptr, keysize,
316                                                  key);
317                 else
318                         camellia_set_decrypt_key(ctx->ctx_ptr, keysize,
319                                                  key);
320                 break;
321         case GNUTLS_CIPHER_3DES_CBC:
322                 if (keysize != DES3_KEY_SIZE) {
323                         gnutls_assert();
324                         return GNUTLS_E_INTERNAL_ERROR;
325                 }
326
327                 des_fix_parity(keysize, des_key, key);
328
329                 /* this fails on weak keys */
330                 if (des3_set_key(ctx->ctx_ptr, des_key) != 1) {
331                         gnutls_assert();
332                         return GNUTLS_E_INTERNAL_ERROR;
333                 }
334                 zeroize_temp_key(des_key, sizeof(des_key));
335
336                 break;
337         case GNUTLS_CIPHER_CAMELLIA_128_GCM:
338         case GNUTLS_CIPHER_CAMELLIA_256_GCM:
339                 if (_gnutls_fips_mode_enabled() != 0)
340                         return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
341
342                 _gcm_camellia_set_key(&ctx->ctx.camellia_gcm, keysize,
343                                       key);
344                 break;
345         case GNUTLS_CIPHER_DES_CBC:
346                 if (_gnutls_fips_mode_enabled() != 0)
347                         return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
348
349                 if (keysize != DES_KEY_SIZE) {
350                         gnutls_assert();
351                         return GNUTLS_E_INTERNAL_ERROR;
352                 }
353
354                 des_fix_parity(keysize, des_key, key);
355
356                 if (des_set_key(ctx->ctx_ptr, des_key) != 1) {
357                         gnutls_assert();
358                         return GNUTLS_E_INTERNAL_ERROR;
359                 }
360                 zeroize_temp_key(des_key, sizeof(des_key));
361                 break;
362         case GNUTLS_CIPHER_ARCFOUR_128:
363         case GNUTLS_CIPHER_ARCFOUR_40:
364                 if (_gnutls_fips_mode_enabled() != 0)
365                         return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
366
367                 arcfour_set_key(ctx->ctx_ptr, keysize, key);
368                 break;
369         case GNUTLS_CIPHER_SALSA20_256:
370         case GNUTLS_CIPHER_ESTREAM_SALSA20_256:
371                 if (_gnutls_fips_mode_enabled() != 0)
372                         return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
373
374                 salsa20_set_key(ctx->ctx_ptr, keysize, key);
375                 break;
376         case GNUTLS_CIPHER_RC2_40_CBC:
377                 if (_gnutls_fips_mode_enabled() != 0)
378                         return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
379
380                 arctwo_set_key(ctx->ctx_ptr, keysize, key);
381                 break;
382         default:
383                 gnutls_assert();
384                 return GNUTLS_E_INVALID_REQUEST;
385         }
386
387         return 0;
388 }
389
390 static int
391 wrap_nettle_cipher_setiv(void *_ctx, const void *iv, size_t ivsize)
392 {
393         struct nettle_cipher_ctx *ctx = _ctx;
394
395         switch (ctx->algo) {
396         case GNUTLS_CIPHER_AES_128_GCM:
397         case GNUTLS_CIPHER_AES_256_GCM:
398                 if (ivsize != GCM_DEFAULT_NONCE_SIZE)
399                         return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
400
401                 gcm_aes_set_iv(&ctx->ctx.aes_gcm, GCM_DEFAULT_NONCE_SIZE,
402                                iv);
403                 break;
404         case GNUTLS_CIPHER_CAMELLIA_128_GCM:
405         case GNUTLS_CIPHER_CAMELLIA_256_GCM:
406                 if (ivsize != GCM_DEFAULT_NONCE_SIZE)
407                         return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
408
409                 _gcm_camellia_set_iv(&ctx->ctx.camellia_gcm,
410                                      GCM_DEFAULT_NONCE_SIZE, iv);
411                 break;
412         case GNUTLS_CIPHER_SALSA20_256:
413         case GNUTLS_CIPHER_ESTREAM_SALSA20_256:
414                 if (ivsize != SALSA20_IV_SIZE)
415                         return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
416
417                 salsa20_set_iv(&ctx->ctx.salsa20, iv);
418                 break;
419         default:
420                 if (ivsize > ctx->block_size)
421                         return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
422
423                 memcpy(ctx->iv, iv, ivsize);
424         }
425
426         return 0;
427 }
428
429 static int
430 wrap_nettle_cipher_decrypt(void *_ctx, const void *encr, size_t encrsize,
431                            void *plain, size_t plainsize)
432 {
433         struct nettle_cipher_ctx *ctx = _ctx;
434
435         ctx->decrypt(ctx->ctx_ptr, ctx->i_decrypt, ctx->block_size,
436                      ctx->iv, encrsize, plain, encr);
437
438         return 0;
439 }
440
441 static int
442 wrap_nettle_cipher_encrypt(void *_ctx, const void *plain, size_t plainsize,
443                            void *encr, size_t encrsize)
444 {
445         struct nettle_cipher_ctx *ctx = _ctx;
446
447         ctx->encrypt(ctx->ctx_ptr, ctx->i_encrypt, ctx->block_size,
448                      ctx->iv, plainsize, encr, plain);
449
450         return 0;
451 }
452
453 static int
454 wrap_nettle_cipher_auth(void *_ctx, const void *plain, size_t plainsize)
455 {
456         struct nettle_cipher_ctx *ctx = _ctx;
457
458         ctx->auth(ctx->ctx_ptr, plainsize, plain);
459
460         return 0;
461 }
462
463 static void wrap_nettle_cipher_tag(void *_ctx, void *tag, size_t tagsize)
464 {
465         struct nettle_cipher_ctx *ctx = _ctx;
466
467         ctx->tag(ctx->ctx_ptr, tagsize, tag);
468
469 }
470
471 static void wrap_nettle_cipher_close(void *_ctx)
472 {
473         struct nettle_cipher_ctx *ctx = _ctx;
474
475         zeroize_temp_key(ctx, sizeof(*ctx));
476         gnutls_free(ctx);
477 }
478
479 gnutls_crypto_cipher_st _gnutls_cipher_ops = {
480         .init = wrap_nettle_cipher_init,
481         .exists = wrap_nettle_cipher_exists,
482         .setiv = wrap_nettle_cipher_setiv,
483         .setkey = wrap_nettle_cipher_setkey,
484         .encrypt = wrap_nettle_cipher_encrypt,
485         .decrypt = wrap_nettle_cipher_decrypt,
486         .deinit = wrap_nettle_cipher_close,
487         .auth = wrap_nettle_cipher_auth,
488         .tag = wrap_nettle_cipher_tag,
489 };