📄 common.txt
字号:
/* Copyright (c) 2003, Roger Dingledine
* Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
* Copyright (c) 2007-2008, The Tor Project, Inc. */
/* See LICENSE for licensing information */
/* $Id$ */
/* Implements a minimal interface to counter-mode AES. */
#ifndef __AES_H
#define __AES_H
#define AES_H_ID "$Id$"
/**
* \file aes.h
* \brief Headers for aes.c
*/
#include "torint.h"
struct aes_cnt_cipher;
typedef struct aes_cnt_cipher aes_cnt_cipher_t;
aes_cnt_cipher_t* aes_new_cipher(void);
void aes_free_cipher(aes_cnt_cipher_t *cipher);
void aes_set_key(aes_cnt_cipher_t *cipher, const char *key, int key_bits);
void aes_crypt(aes_cnt_cipher_t *cipher, const char *input, size_t len,
char *output);
void aes_crypt_inplace(aes_cnt_cipher_t *cipher, char *data, size_t len);
void aes_set_iv(aes_cnt_cipher_t *cipher, const char *iv);
#endif
/* Copyright (c) 2001, Matej Pfajfar.
* Copyright (c) 2001-2004, Roger Dingledine.
* Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
* Copyright (c) 2007-2008, The Tor Project, Inc. */
/* See LICENSE for licensing information */
/* $Id$ */
const char aes_c_id[] = "$Id$";
/**
* \file aes.c
* \brief Implements the AES cipher (with 128-bit keys and blocks),
* and a counter-mode stream cipher on top of AES. This code is
* taken from the main Rijndael distribution. (We include this
* because many people are running older versions of OpenSSL without
* AES support.)
**/
#include "orconfig.h"
#include <openssl/opensslv.h>
#include <assert.h>
#include <stdlib.h>
#include <string.h>
#include "compat.h"
#include "aes.h"
#include "util.h"
#include "log.h"
/* We have 3 strategies for getting AES: Via OpenSSL's AES_encrypt function,
* via OpenSSL's EVP_EncryptUpdate function, or via the built-in AES
* implementation below. */
/** Defined iff we're using openssl's AES functions for AES. */
#undef USE_OPENSSL_AES
/** Defined iff we're using openssl's EVP code for AES. */
#undef USE_OPENSSL_EVP
/** Defined iff we're using Tor's internal AES implementation, defined
* below. */
#undef USE_BUILTIN_AES
/* Figure out our CPU type. We use this to pick an AES implementation.
* Macros are as listed at http://predef.sourceforge.net/prearch.html
*/
#if (defined(i386) || defined(__i386__) || defined(__i386) || defined(_X86_) \
|| defined(_M_IX86) || defined(__THW_INTEL__) || defined(__I86__))
# define CPU_IS_X86
#elif (defined(__amd64__) || defined(__amd64) || \
defined(__x86_64__) || defined(__x86_64) || \
defined(_M_X64))
# define CPU_IS_X86_64
#elif (defined(__ia64__) || defined(__ia64) || defined(_IA64) || \
defined(_M_IA64))
# define CPU_IS_IA64
#elif (defined(__sparc__) || defined(__sparc))
# define CPU_IS_SPARC
#elif (defined(__arm__) || defined (__TARGET_ARCH_ARM))
# define CPU_IS_ARM
#endif
/* Here we pick which to use, if none is force-defined. See
* http://archives.seul.org/or/dev/Feb-2007/msg00045.html
* for a summary of the most recent benchmarking results that led to this
* nutty decision tree.
*/
#if (!defined(USE_BUILTIN_AES) && \
!defined(USE_OPENSSL_AES) && \
!defined(USE_OPENSSL_EVP))
/* OpenSSL 0.9.7 was the first to support AES. It was slower than our
* builtin implementation.
* OpenSSL 0.9.8 added assembly implementations for i386 and ia64.
* Either the i386 stuff isn't used for x86-64, or it isn't faster.
* OpenSSL 0.9.9 (not yet out) has added assembly implementations for
* x86_64 (aka amd64), sparc9, and arm
*
* Note: the "f" at the end of openssl version numbers below means
* "release". */
# if defined(CPU_IS_X86) || defined(CPU_IS_IA64)
# if OPENSSL_VERSION_NUMBER >= 0x0090800fL
# define USE_OPENSSL_AES
# endif
# endif
# if defined(CPU_IS_X86_64) || defined(CPU_IS_ARM) || defined(CPU_IS_SPARC)
# if OPENSSL_VERSION_NUMBER >= 0x0090900fL
# define USE_OPENSSL_AES
# endif
# endif
/* Otherwise, use the builtin implementation below. */
# ifndef USE_OPENSSL_AES
# define USE_BUILTIN_AES
# endif
#endif /* endif need to pick a method */
/* Include OpenSSL headers as needed. */
#ifdef USE_OPENSSL_AES
# include <openssl/aes.h>
#endif
#ifdef USE_OPENSSL_EVP
# include <openssl/evp.h>
#endif
/* Figure out which AES optimizations to use. */
#ifdef USE_BUILTIN_AES
# define USE_RIJNDAEL_COUNTER_OPTIMIZATION
# if 0 && (defined(__powerpc__) || defined(__powerpc64__))
/* XXXX do more experimentation before concluding this is actually
* a good idea. */
# define FULL_UNROLL
# endif
#endif
/*======================================================================*/
/* From rijndael-alg-fst.h */
typedef uint64_t u64;
typedef uint32_t u32;
typedef uint8_t u8;
#ifdef USE_BUILTIN_AES
#define MAXNR 14
static int rijndaelKeySetupEnc(u32 rk[/*4*(Nr + 1)*/],
const u8 cipherKey[], int keyBits);
#ifdef USE_RIJNDAEL_COUNTER_OPTIMIZATION
static void rijndaelEncrypt(const u32 rk[/*4*(Nr + 1)*/], int Nr,
u32 ctr3, u32 ctr2,
u32 ctr1, u32 ctr0, u8 ct[16]);
#else
static void rijndaelEncrypt(const u32 rk[/*4*(Nr + 1)*/], int Nr,
const u8 pt[16], u8 ct[16]);
#endif
#endif
/*======================================================================*/
/* Interface to AES code, and counter implementation */
/** Implements an AES counter-mode cipher. */
struct aes_cnt_cipher {
/** This next element (however it's defined) is the AES key. */
#if defined(USE_OPENSSL_EVP)
EVP_CIPHER_CTX key;
#elif defined(USE_OPENSSL_AES)
AES_KEY key;
#else
u32 rk[4*(MAXNR+1)];
int nr;
#endif
#if !defined(WORDS_BIGENDIAN) || defined(USE_RIJNDAEL_COUNTER_OPTIMIZATION)
#define USING_COUNTER_VARS
/** These four values, together, implement a 128-bit counter, with
* counter0 as the low-order word and counter3 as the high-order word. */
u32 counter3;
u32 counter2;
u32 counter1;
u32 counter0;
#endif
#ifndef USE_RIJNDAEL_COUNTER_OPTIMIZATION
#define USING_COUNTER_BUFS
union {
/** The counter, in big-endian order, as bytes. */
u8 buf[16];
/** The counter, in big-endian order, as big-endian words. Note that
* on big-endian platforms, this is redundant with counter3...0,
* so we just use these values instead. */
u32 buf32[4];
} ctr_buf;
#endif
/** The encrypted value of ctr_buf. */
u8 buf[16];
/** Our current stream position within buf. */
u8 pos;
};
#if !defined(USING_COUNTER_VARS)
#define COUNTER(c, n) ((c)->ctr_buf.buf32[3-(n)])
#else
#define COUNTER(c, n) ((c)->counter ## n)
#endif
/**
* Helper function: set <b>cipher</b>'s internal buffer to the encrypted
* value of the current counter.
*/
static INLINE void
_aes_fill_buf(aes_cnt_cipher_t *cipher)
{
/* We don't currently use OpenSSL's counter mode implementation because:
* 1) some versions have known bugs
* 2) its attitude towards IVs is not our own
* 3) changing the counter position was not trivial, last time I looked.
* None of these issues are insurmountable in principle.
*/
#if defined(USE_BUILTIN_AES) && defined(USE_RIJNDAEL_COUNTER_OPTIMIZATION)
rijndaelEncrypt(cipher->rk, cipher->nr,
cipher->counter3, cipher->counter2,
cipher->counter1, cipher->counter0, cipher->buf);
#else
#if defined(USE_OPENSSL_EVP)
{
int outl=16, inl=16;
EVP_EncryptUpdate(&cipher->key, cipher->buf, &outl,
cipher->ctr_buf.buf, inl);
}
#elif defined(USE_OPENSSL_AES)
AES_encrypt(cipher->ctr_buf.buf, cipher->buf, &cipher->key);
#else
rijndaelEncrypt(cipher->rk, cipher->nr, cipher->ctr_buf.buf, cipher->buf);
#endif
#endif
}
/**
* Return a newly allocated counter-mode AES128 cipher implementation.
*/
aes_cnt_cipher_t*
aes_new_cipher(void)
{
aes_cnt_cipher_t* result = tor_malloc_zero(sizeof(aes_cnt_cipher_t));
return result;
}
/** Set the key of <b>cipher</b> to <b>key</b>, which is
* <b>key_bits</b> bits long (must be 128, 192, or 256). Also resets
* the counter to 0.
*/
void
aes_set_key(aes_cnt_cipher_t *cipher, const char *key, int key_bits)
{
#if defined(USE_OPENSSL_EVP)
const EVP_CIPHER *c;
switch (key_bits) {
case 128: c = EVP_aes_128_ecb(); break;
case 192: c = EVP_aes_192_ecb(); break;
case 256: c = EVP_aes_256_ecb(); break;
default: tor_assert(0);
}
EVP_EncryptInit(&cipher->key, c, (const unsigned char*)key, NULL);
#elif defined(USE_OPENSSL_AES)
AES_set_encrypt_key((const unsigned char *)key, key_bits, &(cipher->key));
#else
cipher->nr = rijndaelKeySetupEnc(cipher->rk, (const unsigned char*)key,
key_bits);
#endif
#ifdef USING_COUNTER_VARS
cipher->counter0 = 0;
cipher->counter1 = 0;
cipher->counter2 = 0;
cipher->counter3 = 0;
#endif
#ifdef USING_COUNTER_BUFS
memset(cipher->ctr_buf.buf, 0, sizeof(cipher->ctr_buf.buf));
#endif
cipher->pos = 0;
_aes_fill_buf(cipher);
}
/** Release storage held by <b>cipher</b>
*/
void
aes_free_cipher(aes_cnt_cipher_t *cipher)
{
tor_assert(cipher);
#ifdef USE_OPENSSL_EVP
EVP_CIPHER_CTX_cleanup(&cipher->key);
#endif
memset(cipher, 0, sizeof(cipher));
tor_free(cipher);
}
#if defined(USING_COUNTER_VARS) && defined(USING_COUNTER_BUFS)
#define UPDATE_CTR_BUF(c, n) STMT_BEGIN \
(c)->ctr_buf.buf32[3-(n)] = htonl((c)->counter ## n); \
STMT_END
#else
#define UPDATE_CTR_BUF(c, n)
#endif
/** Encrypt <b>len</b> bytes from <b>input</b>, storing the result in
* <b>output</b>. Uses the key in <b>cipher</b>, and advances the counter
* by <b>len</b> bytes as it encrypts.
*/
void
aes_crypt(aes_cnt_cipher_t *cipher, const char *input, size_t len,
char *output)
{
/* XXXX This function is up to 5% of our runtime in some profiles;
* we should look into unrolling some of the loops; taking advantage
* of alignment, using a bigger buffer, and so on. Not till after 0.1.2.x,
* though. */
int c = cipher->pos;
if (PREDICT_UNLIKELY(!len)) return;
while (1) {
do {
if (len-- == 0) { cipher->pos = c; return; }
*(output++) = *(input++) ^ cipher->buf[c];
} while (++c != 16);
cipher->pos = c = 0;
if (PREDICT_UNLIKELY(! ++COUNTER(cipher, 0))) {
if (PREDICT_UNLIKELY(! ++COUNTER(cipher, 1))) {
if (PREDICT_UNLIKELY(! ++COUNTER(cipher, 2))) {
++COUNTER(cipher, 3);
UPDATE_CTR_BUF(cipher, 3);
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -