diff --git a/CMakeLists.txt b/CMakeLists.txt index 99315890f..ac7a0b139 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -15,13 +15,13 @@ include(haiUtil) # needed for set_version_variables # CMake version 3.0 introduced the VERSION option of the project() command # to specify a project version as well as the name. if(${CMAKE_VERSION} VERSION_LESS "3.0.0") - project(SRT C CXX) - # Sets SRT_VERSION_MAJOR, SRT_VERSION_MINOR, SRT_VERSION_PATCH - set_version_variables(SRT_VERSION ${SRT_VERSION}) + project(SRT C CXX) + # Sets SRT_VERSION_MAJOR, SRT_VERSION_MINOR, SRT_VERSION_PATCH + set_version_variables(SRT_VERSION ${SRT_VERSION}) else() - cmake_policy(SET CMP0048 NEW) - # Also sets SRT_VERSION_MAJOR, SRT_VERSION_MINOR, SRT_VERSION_PATCH - project(SRT VERSION ${SRT_VERSION} LANGUAGES C CXX) + cmake_policy(SET CMP0048 NEW) + # Also sets SRT_VERSION_MAJOR, SRT_VERSION_MINOR, SRT_VERSION_PATCH + project(SRT VERSION ${SRT_VERSION} LANGUAGES C CXX) endif() include(FindPkgConfig) @@ -339,8 +339,9 @@ if (ENABLE_ENCRYPTION) set(SRT_LIBS_PRIVATE ${SRT_LIBS_PRIVATE} "-l${LIB}") endif() endforeach() - else() # openssl - add_definitions(-DUSE_OPENSSL=1) + elseif ("${USE_ENCLIB}" STREQUAL "openssl-evp") + # Openssl-EVP requires CRYSPR2 + add_definitions(-DUSE_OPENSSL_EVP=1 -DCRYSPR2) set (SSL_REQUIRED_MODULES "openssl libcrypto") # Try using pkg-config method first if enabled, # fall back to find_package method otherwise @@ -365,6 +366,39 @@ if (ENABLE_ENCRYPTION) endif() endif() + link_directories( + ${SSL_LIBRARY_DIRS} + ) + message(STATUS "SSL via pkg-config: -L ${SSL_LIBRARY_DIRS} -I ${SSL_INCLUDE_DIRS} -l;${SSL_LIBRARIES}") + else() + find_package(OpenSSL REQUIRED) + set (SSL_INCLUDE_DIRS ${OPENSSL_INCLUDE_DIR}) + set (SSL_LIBRARIES ${OPENSSL_LIBRARIES}) + message(STATUS "SSL via find_package(OpenSSL): -I ${SSL_INCLUDE_DIRS} -l;${SSL_LIBRARIES}") + endif() + else() # openssl + # Openssl (Direct-AES API) can use CRYSPR2 + add_definitions(-DUSE_OPENSSL=1 -DCRYSPR2) + set (SSL_REQUIRED_MODULES "openssl libcrypto") + # Try using pkg-config method first if enabled, + # fall back to find_package method otherwise + if (USE_OPENSSL_PC) + pkg_check_modules(SSL ${SSL_REQUIRED_MODULES}) + endif() + if (SSL_FOUND) + # We have some cases when pkg-config is improperly configured + # When it doesn't ship the -L and -I options, and the CMAKE_PREFIX_PATH + # is set (also through `configure`), then we have this problem. If so, + # set forcefully the -I and -L contents to prefix/include and + # prefix/lib. + if ("${SSL_LIBRARY_DIRS}" STREQUAL "") + if (NOT "${CMAKE_PREFIX_PATH}" STREQUAL "") + message(STATUS "WARNING: pkg-config has incorrect prefix - enforcing target path prefix: ${CMAKE_PREFIX_PATH}") + set (SSL_LIBRARY_DIRS ${CMAKE_PREFIX_PATH}/${CMAKE_INSTALL_LIBDIR}) + set (SSL_INCLUDE_DIRS ${CMAKE_PREFIX_PATH}/include) + endif() + endif() + link_directories( ${SSL_LIBRARY_DIRS} ) diff --git a/docs/build/build-options.md b/docs/build/build-options.md index 8c87229c9..efff79943 100644 --- a/docs/build/build-options.md +++ b/docs/build/build-options.md @@ -58,7 +58,7 @@ Option details are given further below. | [`PTHREAD_LIBRARY`](#pthread_library) | 1.3.0 | `STRING` | OFF | Configures the path to a pthread library. | | [`USE_BUSY_WAITING`](#use_busy_waiting) | 1.3.3 | `BOOL` | OFF | Enables more accurate sending times at the cost of potentially higher CPU load. | | [`USE_CXX_STD`](#use_cxx_std) | 1.4.2 | `STRING` | OFF | Enforces using a particular C++ standard (11, 14, 17, etc.) when compiling. | -| [`USE_ENCLIB`](#use_enclib) | 1.3.3 | `STRING` | openssl | Encryption library to be used (`openssl`, `gnutls`, `mbedtls`). | +| [`USE_ENCLIB`](#use_enclib) | 1.3.3 | `STRING` | openssl | Encryption library to be used (`openssl`, `openssl-evp` (since 1.5.1-dev), `gnutls`, `mbedtls`). | | [`USE_GNUSTL`](#use_gnustl) | 1.3.4 | `BOOL` | OFF | Use `pkg-config` with the `gnustl` package name to extract the header and library path for the C++ standard library. | | [`USE_OPENSSL_PC`](#use_openssl_pc) | 1.3.0 | `BOOL` | ON | Use `pkg-config` to find OpenSSL libraries. | | [`OPENSSL_USE_STATIC_LIBS`](#openssl_use_static_libs) | 1.5.0 | `BOOL` | OFF | Link OpenSSL statically. | @@ -456,12 +456,7 @@ will be run as part of the build process. This is intended for developers only. **`--openssl-crypto-library=`** Used to configure the path to an OpenSSL crypto library. Ignored when encryption -is disabled (ENABLE_ENCRYPTION = OFF). Supported libraries are: - - - openssl (default) - - gnutls - - mbedtls - +is disabled (ENABLE_ENCRYPTION = OFF). See [`USE_ENCLIB`](#use_enclib) for the list of supported libraries. [:arrow_up:   Back to List of Build Options](#list-of-build-options) @@ -534,6 +529,7 @@ remember that: Encryption library to be used. Possible options for ``: * openssl (default) +* openssl-evp (OpenSSL EVP API, since 1.5.1-dev) * gnutls (with nettle) * mbedtls diff --git a/haicrypt/cryspr-config.h b/haicrypt/cryspr-config.h index d92e99b53..ee4921dbe 100644 --- a/haicrypt/cryspr-config.h +++ b/haicrypt/cryspr-config.h @@ -9,6 +9,10 @@ #include "cryspr-openssl.h" #define cryspr4SRT() crysprOpenSSL() #define CRYSPR_IMPL_DESC "OpenSSL-AES" +#elif defined(USE_OPENSSL_EVP) +#include "cryspr-openssl-evp.h" +#define cryspr4SRT() crysprOpenSSL_EVP() +#define CRYSPR_IMPL_DESC "OpenSSL-EVP" #elif defined(USE_GNUTLS) #include "cryspr-gnutls.h" #define cryspr4SRT() crysprGnuTLS() diff --git a/haicrypt/cryspr-gnutls.c b/haicrypt/cryspr-gnutls.c index 217a70e8a..95eaf2856 100644 --- a/haicrypt/cryspr-gnutls.c +++ b/haicrypt/cryspr-gnutls.c @@ -13,6 +13,8 @@ written by Haivision Systems Inc. + 2022-05-19 (jdube) + CRYSPR2 adaptation 2019-06-27 (jdube) GnuTLS/Nettle CRYSPR/4SRT (CRYypto Service PRovider for SRT) *****************************************************************************/ @@ -24,6 +26,10 @@ written by typedef struct tag_crysprGnuTLS_AES_cb { CRYSPR_cb ccb; /* CRYSPR control block */ /* Add other cryptolib specific data here */ +#ifdef CRYSPR2 + CRYSPR_AESCTX aes_kek_buf; /* Key Encrypting Key (KEK) */ + CRYSPR_AESCTX aes_sek_buf[2]; /* even/odd Stream Encrypting Key (SEK) */ +#endif } crysprGnuTLS_cb; @@ -33,11 +39,14 @@ int crysprGnuTLS_Prng(unsigned char *rn, int len) } int crysprGnuTLS_AES_SetKey( + int cipher_type, /* One of HCRYPT_CTX_MODE_[CLRTXT|AESECB|AESCTR] */ bool bEncrypt, /* true:encrypt key, false:decrypt key*/ const unsigned char *kstr, /* key string */ size_t kstr_len, /* kstr length in bytes (16, 24, or 32 bytes (for AES128,AES192, or AES256) */ CRYSPR_AESCTX *aes_key) /* Cryptolib Specific AES key context */ { + (void)cipher_type; + if (bEncrypt) { /* Encrypt key */ if (!(kstr_len == 16 || kstr_len == 24 || kstr_len == 32)) { HCRYPT_LOG(LOG_ERR, "%s", "AES_set_encrypt_key(kek) bad length\n"); @@ -114,6 +123,31 @@ int crysprGnuTLS_AES_CtrCipher( /* AES-CTR128 Encryption */ return 0; } +#ifdef CRYSPR2 +static CRYSPR_cb *crysprGnuTLS_Open(CRYSPR_methods *cryspr, size_t max_len) +{ + crysprGnuTLS_cb *aes_data; + CRYSPR_cb *cryspr_cb; + + aes_data = (crysprGnuTLS_cb *)crysprHelper_Open(cryspr, sizeof(crysprGnuTLS_cb), max_len); + if (NULL == aes_data) { + HCRYPT_LOG(LOG_ERR, "crysprHelper_Open(%p, %zd, %zd) failed\n", cryspr, sizeof(crysprGnuTLS_cb), max_len); + return(NULL); + } + + aes_data->ccb.aes_kek = &aes_data->aes_kek_buf; //key encrypting key + aes_data->ccb.aes_sek[0] = &aes_data->aes_sek_buf[0]; //stream encrypting key + aes_data->ccb.aes_sek[1] = &aes_data->aes_sek_buf[1]; //stream encrypting key + + return(&aes_data->ccb); +} + +static int crysprGnuTLS_Close(CRYSPR_cb *cryspr_cb) +{ + return(crysprHelper_Close(cryspr_cb)); +} +#endif /* CRYSPR2 */ + #ifdef CRYSPR_HAS_PBKDF2 /* * Password-based Key Derivation Function @@ -157,8 +191,13 @@ CRYSPR_methods *crysprGnuTLS(void) #endif //--Crypto Session (Top API) + #ifdef CRYSPR2 + crysprGnuTLS_methods.open = crysprGnuTLS_Open; + crysprGnuTLS_methods.close = crysprGnuTLS_Close; + #else /* CRYSPR2 */ // crysprGnuTLS_methods.open = // crysprGnuTLS_methods.close = + #endif /* CRYSPR2 */ //--Keying material (km) encryption #if CRYSPR_HAS_PBKDF2 crysprGnuTLS_methods.km_pbkdf2 = crysprGnuTLS_KmPbkdf2; diff --git a/haicrypt/cryspr-mbedtls.c b/haicrypt/cryspr-mbedtls.c index c10727a0a..71b14cf99 100644 --- a/haicrypt/cryspr-mbedtls.c +++ b/haicrypt/cryspr-mbedtls.c @@ -13,6 +13,8 @@ written by Haivision Systems Inc. + 2022-05-19 (jdube) + CRYSPR2 adaptation 2019-06-27 (jdube) GnuTLS/Nettle CRYSPR/4SRT (CRYypto Service PRovider for SRT) *****************************************************************************/ @@ -34,6 +36,10 @@ static mbedtls_md_context_t crysprMbedtls_mdctx; typedef struct tag_crysprGnuTLS_AES_cb { CRYSPR_cb ccb; /* CRYSPR control block */ /* Add other cryptolib specific data here */ +#ifdef CRYSPR2 + CRYSPR_AESCTX aes_kek_buf; /* Key Encrypting Key (KEK) */ + CRYSPR_AESCTX aes_sek_buf[2]; /* even/odd Stream Encrypting Key (SEK) */ +#endif } crysprMbedtls_cb; @@ -49,18 +55,23 @@ int crysprMbedtls_Prng(unsigned char *rn, int len) } int crysprMbedtls_AES_SetKey( + int cipher_type, /* One of HCRYPT_CTX_MODE_[CLRTXT|AESECB|AESCTR] */ bool bEncrypt, /* true:encrypt key, false:decrypt key*/ const unsigned char *kstr, /* key string */ size_t kstr_len, /* kstr length in bytes (16, 24, or 32 bytes, for AES128,AES192, or AES256) */ CRYSPR_AESCTX *aes_key) /* Cryptolib Specific AES key context */ { + (void)cipher_type; + if (!(kstr_len == 16 || kstr_len == 24 || kstr_len == 32)) { HCRYPT_LOG(LOG_ERR, "%s", "AES_set_encrypt_key(kek) bad length\n"); return -1; } int ret; - +#ifdef CRYSPR2 + (void)cipher_type; +#endif // mbedtls uses the "bits" convention (128, 192, 254), just like openssl. // kstr_len is in "bytes" convention (16, 24, 32). @@ -146,6 +157,31 @@ int crysprMbedtls_AES_CtrCipher( /* AES-CTR128 Encryption */ return 0; } +#ifdef CRYSPR2 +static CRYSPR_cb *crysprMbedtls_Open(CRYSPR_methods *cryspr, size_t max_len) +{ + crysprMbedtls_cb *aes_data; + CRYSPR_cb *cryspr_cb; + + aes_data = (crysprMbedtls_cb *)crysprHelper_Open(cryspr, sizeof(crysprMbedtls_cb), max_len); + if (NULL == aes_data) { + HCRYPT_LOG(LOG_ERR, "crysprHelper_Open(%p, %zd, %zd) failed\n", cryspr, sizeof(crysprMbedtls_cb), max_len); + return(NULL); + } + + aes_data->ccb.aes_kek = &aes_data->aes_kek_buf; //key encrypting key + aes_data->ccb.aes_sek[0] = &aes_data->aes_sek_buf[0]; //stream encrypting key + aes_data->ccb.aes_sek[1] = &aes_data->aes_sek_buf[1]; //stream encrypting key + + return(&aes_data->ccb); +} + +static int crysprMbedtls_Close(CRYSPR_cb *cryspr_cb) +{ + return(crysprHelper_Close(cryspr_cb)); +} +#endif /* CRYSPR2 */ + /* * Password-based Key Derivation Function */ @@ -196,8 +232,13 @@ CRYSPR_methods *crysprMbedtls(void) #endif //--Crypto Session (Top API) +#ifdef CRYSPR2 + crysprMbedtls_methods.open = crysprMbedtls_Open; + crysprMbedtls_methods.close = crysprMbedtls_Close; +#else // crysprMbedtls_methods.open = // crysprMbedtls_methods.close = +#endif //--Keying material (km) encryption crysprMbedtls_methods.km_pbkdf2 = crysprMbedtls_KmPbkdf2; // crysprMbedtls_methods.km_setkey = diff --git a/haicrypt/cryspr-mbedtls.h b/haicrypt/cryspr-mbedtls.h index 9cc5c6e44..a83b397c1 100644 --- a/haicrypt/cryspr-mbedtls.h +++ b/haicrypt/cryspr-mbedtls.h @@ -52,7 +52,7 @@ written by /* #define CRYSPR_AESCTX to the CRYSPR specifix AES key context object. This type reserves room in the CRYPSPR control block for Haicrypt KEK and SEK -It is set from hte keystring through CRYSPR_methods.aes_set_key and passed +It is set from the keystring through CRYSPR_methods.aes_set_key and passed to CRYSPR_methods.aes_XXX. */ typedef mbedtls_aes_context CRYSPR_AESCTX; /* CRYpto Service PRovider AES key context */ diff --git a/haicrypt/cryspr-openssl-evp.c b/haicrypt/cryspr-openssl-evp.c new file mode 100644 index 000000000..f2bd693c0 --- /dev/null +++ b/haicrypt/cryspr-openssl-evp.c @@ -0,0 +1,335 @@ +/* + * SRT - Secure, Reliable, Transport + * Copyright (c) 2019 Haivision Systems Inc. + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + */ + +/***************************************************************************** +written by + Haivision Systems Inc. + + 2022-05-19 (jdube) + OpenSSL EVP CRYSPR/4SRT (CRYypto Service PRovider for SRT). +*****************************************************************************/ + +#include "hcrypt.h" + +#include + +typedef struct tag_crysprOpenSSL_EVP_cb +{ + CRYSPR_cb ccb; + /* Add cryptolib specific data here */ +} crysprOpenSSL_EVP_cb; + +int crysprOpenSSL_EVP_Prng(unsigned char* rn, int len) +{ + return (RAND_bytes(rn, len) <= 0 ? -1 : 0); +} + +const EVP_CIPHER* (*Xcipher_fnptr)(void) = EVP_aes_128_ecb; + +const EVP_CIPHER* (*_crysprOpenSSL_EVP_cipher_fnptr[][3])(void) = { + {NULL, NULL, NULL}, + {EVP_aes_128_ecb, EVP_aes_192_ecb, EVP_aes_256_ecb}, + {EVP_aes_128_ctr, EVP_aes_192_ctr, EVP_aes_256_ctr}, +}; + +int crysprOpenSSL_EVP_AES_SetKey( + int cipher_type, /* One of HCRYPT_CTX_MODE_[CLRTXT|AESECB|AESCTR] */ + bool bEncrypt, /* true Enxcrypt key, false: decrypt */ + const unsigned char* kstr, /* key sttring*/ + size_t kstr_len, /* kstr len in bytes (16, 24, or 32 bytes (for AES128, AES192, or AES256) */ + CRYSPR_AESCTX* aes_key) /* CRYpto Service PRovider AES Key context */ +{ + const EVP_CIPHER* cipher = NULL; + int idxKlen = (kstr_len / 8) - 2; /* key_len index in cipher_fnptr array in [0,1,2] range */ + + switch (cipher_type) + { + case HCRYPT_CTX_MODE_CLRTXT: + return 0; + case HCRYPT_CTX_MODE_AESECB: + break; + case HCRYPT_CTX_MODE_AESCTR: +#if !CRYSPR_HAS_AESCTR + /* internal implementation of AES-CTR using crypto lib's AES-ECB */ + cipher_type = HCRYPT_CTX_MODE_AESECB; +#endif + break; + default: + HCRYPT_LOG(LOG_ERR, + "invalid cipher type (%d). Expected: [%d..%d]\n", + cipher_type, + HCRYPT_CTX_MODE_AESECB, + HCRYPT_CTX_MODE_AESCTR); + return (-1); + } + switch (kstr_len) + { + case 128 / 8: + case 192 / 8: + case 256 / 8: + break; + default: + HCRYPT_LOG(LOG_ERR, "invalid key length (%d). Expected: 16, 24, 32\n", (int)kstr_len); + return -1; + } + cipher = _crysprOpenSSL_EVP_cipher_fnptr[cipher_type][idxKlen](); + + if (bEncrypt) + { /* Encrypt key */ + if (!EVP_EncryptInit_ex(aes_key, cipher, NULL, kstr, NULL)) + { + HCRYPT_LOG(LOG_ERR, "%s", "EVP_CipherInit_ex(kek) failed\n"); + return (-1); + } + } + else + { /* Decrypt key */ + if (!EVP_DecryptInit_ex(aes_key, cipher, NULL, kstr, NULL)) + { + HCRYPT_LOG(LOG_ERR, "%s", "EVP_CipherInit_ex(kek) failed\n"); + return (-1); + } + } + return (0); +} + +static CRYSPR_cb* crysprOpenSSL_EVP_Open(CRYSPR_methods* cryspr, size_t max_len) +{ + CRYSPR_cb* cryspr_cb = crysprHelper_Open(cryspr, sizeof(*cryspr_cb), max_len); + if (NULL == cryspr_cb) + { + HCRYPT_LOG(LOG_ERR, "crysprFallback_Open(%p, %zd) failed\n", cryspr, max_len); + return (NULL); + } + + cryspr_cb->aes_kek = EVP_CIPHER_CTX_new(); + + cryspr_cb->aes_sek[0] = EVP_CIPHER_CTX_new(); + + cryspr_cb->aes_sek[1] = EVP_CIPHER_CTX_new(); + + return (cryspr_cb); +} + +static int crysprOpenSSL_EVP_Close(CRYSPR_cb* cryspr_cb) +{ + if (NULL != cryspr_cb) + { + EVP_CIPHER_CTX_free(cryspr_cb->aes_sek[0]); + EVP_CIPHER_CTX_free(cryspr_cb->aes_sek[1]); + EVP_CIPHER_CTX_free(cryspr_cb->aes_kek); + } + return (crysprHelper_Close(cryspr_cb)); +} + +#if !(CRYSPR_HAS_AESCTR && CRYSPR_HAS_AESKWRAP) + +int crysprOpenSSL_EVP_AES_EcbCipher(bool bEncrypt, /* true:encrypt, false:decrypt */ + CRYSPR_AESCTX* aes_key, /* CRYpto Service PRovider AES Key context */ + const unsigned char* indata, /* src (clear text if encrypt, cipher text otherwise)*/ + size_t inlen, /* indata length */ + unsigned char* out_txt, /* dst (cipher text if encrypt, clear text otherwise) */ + size_t* outlen_p) /* in/out dst len */ +{ + int nblk = inlen / CRYSPR_AESBLKSZ; /* complete blocks */ + int nmore = inlen % CRYSPR_AESBLKSZ; /* bytes in last incomplete block */ + size_t outsiz = (outlen_p ? *outlen_p : 0); + int c_len = 0, f_len = 0; + + (void)bEncrypt; // not needed, alreadydefined in context + + if (outsiz % CRYSPR_AESBLKSZ) + { + HCRYPT_LOG(LOG_ERR, "%s\n", "EcbCipher() no room for PKCS7 padding"); + return (-1); /* output buf size must be a multiple of AES block size (16) */ + } + if ((outsiz > 16) && ((int)outsiz < ((nblk + (nmore ? 1 : 0)) * CRYSPR_AESBLKSZ))) + { + HCRYPT_LOG(LOG_ERR, "%s\n", "EcbCipher() no room for PKCS7 padding"); + return (-1); /* output buf size must have room for PKCS7 padding */ + } + /* allows reusing of 'e' for multiple encryption cycles */ + if (!EVP_CipherInit_ex(aes_key, NULL, NULL, NULL, NULL, -1)) + { + HCRYPT_LOG(LOG_ERR, "EVP_CipherInit_ex(%p,NULL,...,-1) failed\n", aes_key); + return -1; + } + if (!EVP_CIPHER_CTX_set_padding(aes_key, 0)) + { + HCRYPT_LOG(LOG_ERR, "%s\n", "EVP_CIPHER_CTX_set_padding(%p) failed", aes_key); + return -1; + } + + /* update ciphertext, c_len is filled with the length of ciphertext generated, + * cryptoPtr->cipher_in_len is the size of plain/cipher text in bytes + */ + if (!EVP_CipherUpdate(aes_key, out_txt, &c_len, indata, inlen)) + { + HCRYPT_LOG(LOG_ERR, "EVP_CipherUpdate(%p, out, %d, in, %d) failed\n", aes_key, c_len, inlen); + return -1; + } + + /* update ciphertext with the final remaining bytes */ + /* Useless with pre-padding */ + f_len = 0; + if (0 == EVP_CipherFinal_ex(aes_key, &out_txt[c_len], &f_len)) + { +#if ENABLE_HAICRYPT_LOGGING + char szErrBuf[256]; + HCRYPT_LOG(LOG_ERR, + "EVP_CipherFinal_ex(ctx,&out[%d],%d)) failed: %s\n", + c_len, + f_len, + ERR_error_string(ERR_get_error(), szErrBuf)); +#endif /*ENABLE_HAICRYPT_LOGGING*/ + return -1; + } + // if (outlen_p != NULL) *outlen_p = nblk*CRYSPR_AESBLKSZ; + return 0; +} +#endif /* !(CRYSPR_HAS_AESCTR && CRYSPR_HAS_AESKWRAP) */ + +int crysprOpenSSL_EVP_AES_CtrCipher(bool bEncrypt, /* true:encrypt, false:decrypt */ + CRYSPR_AESCTX* aes_key, /* CRYpto Service PRovider AES Key context */ + unsigned char* iv, /* iv */ + const unsigned char* indata, /* src */ + size_t inlen, /* length */ + unsigned char* out_txt) /* dest */ + +{ + int c_len, f_len; + + (void)bEncrypt; + + /* allows reusing of 'e' for multiple encryption cycles */ + if (!EVP_CipherInit_ex(aes_key, NULL, NULL, NULL, iv, -1)) + { + HCRYPT_LOG(LOG_ERR, "%s\n", "EVP_CipherInit_ex() failed"); + return -1; + } + if (!EVP_CIPHER_CTX_set_padding(aes_key, 0)) + { + HCRYPT_LOG(LOG_ERR, "%s\n", "EVP_CIPHER_CTX_set_padding() failed"); + return -1; + } + + /* update ciphertext, c_len is filled with the length of ciphertext generated, + * cryptoPtr->cipher_in_len is the size of plain/cipher text in bytes + */ + if (!EVP_CipherUpdate(aes_key, out_txt, &c_len, indata, inlen)) + { + HCRYPT_LOG(LOG_ERR, "%s\n", "EVP_CipherUpdate() failed"); + return -1; + } + + /* update ciphertext with the final remaining bytes */ + /* Useless with pre-padding */ + f_len = 0; + if (0 == EVP_CipherFinal_ex(aes_key, &out_txt[c_len], &f_len)) + { +#if ENABLE_HAICRYPT_LOGGING + char szErrBuf[256]; + HCRYPT_LOG(LOG_ERR, + "EVP_CipherFinal_ex(ctx,&out[%d],%d)) failed: %s\n", + c_len, + f_len, + ERR_error_string(ERR_get_error(), szErrBuf)); +#endif /*ENABLE_HAICRYPT_LOGGING*/ + return -1; + } + return 0; +} + +/* + * Password-based Key Derivation Function + */ +int crysprOpenSSL_EVP_KmPbkdf2(CRYSPR_cb* cryspr_cb, + char* passwd, /* passphrase */ + size_t passwd_len, /* passphrase len */ + unsigned char* salt, /* salt */ + size_t salt_len, /* salt_len */ + int itr, /* iterations */ + size_t key_len, /* key_len */ + unsigned char* out) /* derived key */ +{ + (void)cryspr_cb; + int rc = PKCS5_PBKDF2_HMAC_SHA1(passwd, passwd_len, salt, salt_len, itr, key_len, out); + return (rc == 1 ? 0 : -1); +} + +#if CRYSPR_HAS_AESKWRAP +int crysprOpenSSL_EVP_KmWrap(CRYSPR_cb* cryspr_cb, unsigned char* wrap, const unsigned char* sek, unsigned int seklen) +{ + crysprOpenSSL_EVP_cb* aes_data = (crysprOpenSSL_EVP_cb*)cryspr_cb; + EVP_CIPHER_CTX* kek = CRYSPR_GETKEK(cryspr_cb); // key encrypting key + + return (((seklen + HAICRYPT_WRAPKEY_SIGN_SZ) == (unsigned int)AES_wrap_key(kek, NULL, wrap, sek, seklen)) ? 0 : -1); +} + +int crysprOpenSSL_EVP_KmUnwrap(CRYSPR_cb* cryspr_cb, + unsigned char* sek, // Stream encrypting key + const unsigned char* wrap, + unsigned int wraplen) +{ + crysprOpenSSL_EVP_cb* aes_data = (crysprOpenSSL_EVP_cb*)cryspr_cb; + EVP_CIPHER_CTX* kek = CRYSPR_GETKEK(cryspr_cb); // key encrypting key + + return (((wraplen - HAICRYPT_WRAPKEY_SIGN_SZ) == (unsigned int)AES_unwrap_key(kek, NULL, sek, wrap, wraplen)) ? 0 + : -1); +} +#endif /*CRYSPR_HAS_AESKWRAP*/ + +static CRYSPR_methods crysprOpenSSL_EVP_methods; + +CRYSPR_methods* crysprOpenSSL_EVP(void) +{ + if (NULL == crysprOpenSSL_EVP_methods.open) + { + crysprInit(&crysprOpenSSL_EVP_methods); // Default/fallback methods + + crysprOpenSSL_EVP_methods.prng = crysprOpenSSL_EVP_Prng; + //--CryptoLib Primitive API----------------------------------------------- + crysprOpenSSL_EVP_methods.aes_set_key = crysprOpenSSL_EVP_AES_SetKey; +#if CRYSPR_HAS_AESCTR + crysprOpenSSL_EVP_methods.aes_ctr_cipher = crysprOpenSSL_EVP_AES_CtrCipher; +#endif +#if !(CRYSPR_HAS_AESCTR && CRYSPR_HAS_AESKWRAP) + /* AES-ECB only required if cryspr has no AES-CTR and no AES KeyWrap */ + /* OpenSSL has both AESCTR and AESKWRP and the AESECB wrapper is only used + to test the falback methods */ + crysprOpenSSL_EVP_methods.aes_ecb_cipher = crysprOpenSSL_EVP_AES_EcbCipher; +#endif +#if !CRYSPR_HAS_PBKDF2 + crysprOpenSSL_EVP_methods.sha1_msg_digest = NULL; // Required to use eventual default/fallback KmPbkdf2 +#endif + + //--Crypto Session API----------------------------------------- + crysprOpenSSL_EVP_methods.open = crysprOpenSSL_EVP_Open; + crysprOpenSSL_EVP_methods.close = crysprOpenSSL_EVP_Close; + //--Keying material (km) encryption + +#if CRYSPR_HAS_PBKDF2 + crysprOpenSSL_EVP_methods.km_pbkdf2 = crysprOpenSSL_EVP_KmPbkdf2; +#else +#error There is no default/fallback method for PBKDF2 +#endif + // crysprOpenSSL_EVP_methods.km_setkey = +#if CRYSPR_HAS_AESKWRAP + crysprOpenSSL_EVP_methods.km_wrap = crysprOpenSSL_EVP_KmWrap; + crysprOpenSSL_EVP_methods.km_unwrap = crysprOpenSSL_EVP_KmUnwrap; +#endif + + //--Media stream (ms) encryption + // crysprOpenSSL_EVP_methods.ms_setkey = + // crysprOpenSSL_EVP_methods.ms_encrypt = + // crysprOpenSSL_EVP_methods.ms_decrypt = + } + return (&crysprOpenSSL_EVP_methods); +} diff --git a/haicrypt/cryspr-openssl-evp.h b/haicrypt/cryspr-openssl-evp.h new file mode 100644 index 000000000..61cb68617 --- /dev/null +++ b/haicrypt/cryspr-openssl-evp.h @@ -0,0 +1,63 @@ +/* + * SRT - Secure, Reliable, Transport + * Copyright (c) 2019 Haivision Systems Inc. + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + */ + +/***************************************************************************** +written by + Haivision Systems Inc. + + 2022-05-19 (jdube) + OpenSSL EVP AES CRYSPR/4SRT (CRYypto Service PRovider for SRT). +*****************************************************************************/ + +#ifndef CRYSPR_OPENSSL_H +#define CRYSPR_OPENSSL_H + +#include /* PKCS5_xxx() */ +#include /* AES_xxx() */ +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(OPENSSL_IS_BORINGSSL)) +#include /* CRYPTO_xxx() */ +#endif +#include +#include +#include /* OPENSSL_VERSION_NUMBER */ + +/* Define CRYSPR_HAS_AESCTR to 1 if this CRYSPR has AESCTR cipher mode + if not set it 0 to use enable CTR cipher mode implementation using ECB cipher mode + and provide the aes_ecb_cipher method. +*/ +#define CRYSPR_HAS_AESCTR 1 + +/* Define CRYSPR_HAS_AESKWRAP to 1 if this CRYSPR has AES Key Wrap + if not set to 0 to enable default/fallback crysprFallback_AES_WrapKey/crysprFallback_AES_UnwrapKey methods + and provide the aes_ecb_cipher method . +*/ +#if 1 // Force internal AES-WRAP (using AES-ECB) until implemented with EVP (OPENSSL_VERSION_NUMBER < 0x00xxxxxxL) +#define CRYSPR_HAS_AESKWRAP 0 +#else +#define CRYSPR_HAS_AESKWRAP 1 +#endif + +/* Define CRYSPR_HAS_PBKDF2 to 1 if this CRYSPR has SHA1-HMAC Password-based Key Derivaion Function 2 + if not set to 0 to enable not-yet-implemented/fallback crysprFallback.km_pbkdf2 method + and provide the sha1_msg_digest method. +*/ +#define CRYSPR_HAS_PBKDF2 1 /* Define to 1 if CRYSPR has Password-based Key Derivaion Function 2 */ + +/* +#define CRYSPR_AESCTX to the CRYSPR specifix AES key context object. +This type reserves room in the CRYPSPR control block for Haicrypt KEK and SEK +It is set from hte keystring through CRYSPR_methods.aes_set_key and passed +to CRYSPR_methods.aes_*. +*/ +typedef EVP_CIPHER_CTX CRYSPR_AESCTX; /* CRYpto Service PRovider AES key context */ + +struct tag_CRYSPR_methods* crysprOpenSSL_EVP(void); + +#endif /* CRYSPR_OPENSSL_H */ diff --git a/haicrypt/cryspr-openssl.c b/haicrypt/cryspr-openssl.c index a5d50ac65..3af907d24 100644 --- a/haicrypt/cryspr-openssl.c +++ b/haicrypt/cryspr-openssl.c @@ -13,18 +13,23 @@ written by Haivision Systems Inc. + 2022-05-19 (jdube) + CRYSPR2 adaptation 2019-06-26 (jdube) - OpenSSL CRYSPR/4SRT (CRYypto Service PRovider for SRT). + OpenSSL Direct AES CRYSPR/4SRT (CRYypto Service PRovider for SRT). *****************************************************************************/ #include "hcrypt.h" #include - typedef struct tag_crysprOpenSSL_AES_cb { - CRYSPR_cb ccb; - /* Add cryptolib specific data here */ + CRYSPR_cb ccb; + /* Add cryptolib specific data here */ +#ifdef CRYSPR2 + CRYSPR_AESCTX aes_kek_buf; /* Key Encrypting Key (KEK) */ + CRYSPR_AESCTX aes_sek_buf[2]; /* even/odd Stream Encrypting Key (SEK) */ +#endif } crysprOpenSSL_cb; @@ -34,11 +39,14 @@ int crysprOpenSSL_Prng(unsigned char *rn, int len) } int crysprOpenSSL_AES_SetKey( + int cipher_type, /* One of HCRYPT_CTX_MODE_[CLRTXT|AESECB|AESCTR] */ bool bEncrypt, /* true Enxcrypt key, false: decrypt */ const unsigned char *kstr, /* key sttring*/ size_t kstr_len, /* kstr len in bytes (16, 24, or 32 bytes (for AES128,AES192, or AES256) */ CRYSPR_AESCTX *aes_key) /* CRYpto Service PRovider AES Key context */ { + (void)cipher_type; + if (bEncrypt) { /* Encrypt key */ if (AES_set_encrypt_key(kstr, kstr_len * 8, aes_key)) { HCRYPT_LOG(LOG_ERR, "%s", "AES_set_encrypt_key(kek) failed\n"); @@ -123,7 +131,24 @@ int crysprOpenSSL_AES_CtrCipher( #endif return 0; } +#ifdef CRYSPR2 +static CRYSPR_cb *crysprOpenSSL_Open(CRYSPR_methods *cryspr, size_t max_len) +{ + crysprOpenSSL_cb *aes_data; + + aes_data = (crysprOpenSSL_cb *)crysprHelper_Open(cryspr, sizeof(crysprOpenSSL_cb), max_len); + if (NULL == aes_data) { + HCRYPT_LOG(LOG_ERR, "crysprHelper_Open(%p, %zd, %zd) failed\n", cryspr, sizeof(crysprOpenSSL_cb), max_len); + return(NULL); + } + + aes_data->ccb.aes_kek = &aes_data->aes_kek_buf; //key encrypting key + aes_data->ccb.aes_sek[0] = &aes_data->aes_sek_buf[0]; //stream encrypting key + aes_data->ccb.aes_sek[1] = &aes_data->aes_sek_buf[1]; //stream encrypting key + return(&aes_data->ccb); +} +#endif /* CRYSPR2 */ /* * Password-based Key Derivation Function */ @@ -148,8 +173,7 @@ int crysprOpenSSL_KmWrap(CRYSPR_cb *cryspr_cb, const unsigned char *sek, unsigned int seklen) { - crysprOpenSSL_cb *aes_data = (crysprOpenSSL_cb *)cryspr_cb; - AES_KEY *kek = &aes_data->ccb.aes_kek; //key encrypting key + AES_KEY *kek = CRYSPR_GETKEK(cryspr_cb); //key encrypting key return(((seklen + HAICRYPT_WRAPKEY_SIGN_SZ) == (unsigned int)AES_wrap_key(kek, NULL, wrap, sek, seklen)) ? 0 : -1); } @@ -160,8 +184,7 @@ int crysprOpenSSL_KmUnwrap( const unsigned char *wrap, unsigned int wraplen) { - crysprOpenSSL_cb *aes_data = (crysprOpenSSL_cb *)cryspr_cb; - AES_KEY *kek = &aes_data->ccb.aes_kek; //key encrypting key + AES_KEY *kek = CRYSPR_GETKEK(cryspr_cb); //key encrypting key return(((wraplen - HAICRYPT_WRAPKEY_SIGN_SZ) == (unsigned int)AES_unwrap_key(kek, NULL, sek, wrap, wraplen)) ? 0 : -1); } @@ -192,7 +215,11 @@ CRYSPR_methods *crysprOpenSSL(void) #endif //--Crypto Session API----------------------------------------- +#ifdef CRYSPR2 + crysprOpenSSL_methods.open = crysprOpenSSL_Open; +#else // crysprOpenSSL_methods.open = +#endif // crysprOpenSSL_methods.close = //--Keying material (km) encryption diff --git a/haicrypt/cryspr.c b/haicrypt/cryspr.c index 522d27cfe..645631721 100644 --- a/haicrypt/cryspr.c +++ b/haicrypt/cryspr.c @@ -31,11 +31,13 @@ int crysprStub_Prng(unsigned char *rn, int len) } int crysprStub_AES_SetKey( + int cipher_type, /* One of HCRYPT_CTX_MODE_[CLRTXT|AESECB|AESCTR|AESGDM] */ bool bEncrypt, /* true Enxcrypt key, false: decrypt */ const unsigned char *kstr, /* key sttring*/ size_t kstr_len, /* kstr len in bytes (16, 24, or 32 bytes (for AES128,AES192, or AES256) */ CRYSPR_AESCTX *aes_key) /* Cryptolib Specific AES key context */ { + (void)cipher_type; (void)bEncrypt; (void)kstr; (void)kstr_len; @@ -122,10 +124,10 @@ int crysprStub_KmPbkdf2( static int crysprFallback_KmSetKey(CRYSPR_cb *cryspr_cb, bool bWrap, const unsigned char *kek, size_t kek_len) { - CRYSPR_AESCTX *aes_kek = &cryspr_cb->aes_kek; + CRYSPR_AESCTX *aes_kek = CRYSPR_GETKEK(cryspr_cb); - if (cryspr_cb->cryspr->aes_set_key(bWrap, kek, kek_len, aes_kek)) { - HCRYPT_LOG(LOG_ERR, "AES_set_%s_key(kek) failed\n", bWrap? "encrypt": "decrypt"); + if (cryspr_cb->cryspr->aes_set_key(HCRYPT_CTX_MODE_AESECB, bWrap, kek, kek_len, aes_kek)) { + HCRYPT_LOG(LOG_ERR, "aes_set_%s_key(kek) failed\n", bWrap? "encrypt": "decrypt"); return(-1); } return(0); @@ -163,7 +165,9 @@ int crysprFallback_AES_WrapKey(CRYSPR_cb *cryspr_cb, memcpy(B + 8, R, 8); { size_t outlen = 16; - cryspr_cb->cryspr->aes_ecb_cipher(true, &cryspr_cb->aes_kek, B, 16, B, &outlen); + CRYSPR_AESCTX *aes_kek = CRYSPR_GETKEK(cryspr_cb); + + cryspr_cb->cryspr->aes_ecb_cipher(true, aes_kek, B, 16, B, &outlen); } A[7] ^= (unsigned char)(t & 0xff); if (t > 0xff) @@ -211,7 +215,9 @@ int crysprFallback_AES_UnwrapKey(CRYSPR_cb *cryspr_cb, memcpy(B + 8, R, 8); { size_t outlen = 16; - cryspr_cb->cryspr->aes_ecb_cipher(false, &cryspr_cb->aes_kek, B, 16, B, &outlen); + CRYSPR_AESCTX *aes_kek = CRYSPR_GETKEK(cryspr_cb); + + cryspr_cb->cryspr->aes_ecb_cipher(false, aes_kek, B, 16, B, &outlen); } memcpy(R, B + 8, 8); } @@ -237,20 +243,23 @@ static unsigned char *_crysprFallback_GetOutbuf(CRYSPR_cb *cryspr_cb, size_t pfx return(out_buf); } -static CRYSPR_cb *crysprFallback_Open(CRYSPR_methods *cryspr, size_t max_len) +CRYSPR_cb *crysprHelper_Open(CRYSPR_methods *cryspr, size_t cb_len, size_t max_len) { CRYSPR_cb *cryspr_cb; unsigned char *membuf; size_t memsiz, padded_len = hcryptMsg_PaddedLen(max_len, 128/8); - HCRYPT_LOG(LOG_DEBUG, "%s", "Using OpenSSL AES\n"); - - memsiz = sizeof(*cryspr_cb) + (CRYSPR_OUTMSGMAX * padded_len); + if(cb_len < sizeof(*cryspr_cb)) { + HCRYPT_LOG(LOG_ERR, "crysprHelper_Open() cb_len too small (%zd < %zd)n", + cb_len, sizeof(*cryspr_cb)); + return(NULL); + } + memsiz = cb_len + (CRYSPR_OUTMSGMAX * padded_len); #if !CRYSPR_HAS_AESCTR memsiz += HCRYPT_CTR_STREAM_SZ; #endif /* !CRYSPR_HAS_AESCTR */ - cryspr_cb = malloc(memsiz); + cryspr_cb = calloc(1, memsiz); if (NULL == cryspr_cb) { HCRYPT_LOG(LOG_ERR, "malloc(%zd) failed\n", memsiz); return(NULL); @@ -258,6 +267,9 @@ static CRYSPR_cb *crysprFallback_Open(CRYSPR_methods *cryspr, size_t max_len) membuf = (unsigned char *)cryspr_cb; membuf += sizeof(*cryspr_cb); + /*reserve cryspr's private data that caller will initialize */ + membuf += (cb_len-sizeof(CRYSPR_cb)); + #if !CRYSPR_HAS_AESCTR cryspr_cb->ctr_stream = membuf; membuf += HCRYPT_CTR_STREAM_SZ; @@ -275,24 +287,37 @@ static CRYSPR_cb *crysprFallback_Open(CRYSPR_methods *cryspr, size_t max_len) return(cryspr_cb); } +int crysprHelper_Close(CRYSPR_cb *cryspr_cb) +{ + free(cryspr_cb); + return(0); +} + +static CRYSPR_cb *crysprFallback_Open(CRYSPR_methods *cryspr, size_t max_len) +{ + CRYSPR_cb *cryspr_cb; + + cryspr_cb = crysprHelper_Open(cryspr, sizeof(CRYSPR_cb), max_len); + return(cryspr_cb); +} + static int crysprFallback_Close(CRYSPR_cb *cryspr_cb) { - free(cryspr_cb); - return(0); + return(crysprHelper_Close(cryspr_cb)); } static int crysprFallback_MsSetKey(CRYSPR_cb *cryspr_cb, hcrypt_Ctx *ctx, const unsigned char *key, size_t key_len) { - CRYSPR_AESCTX *aes_sek = &cryspr_cb->aes_sek[hcryptCtx_GetKeyIndex(ctx)]; /* Ctx tells if it's for odd or even key */ + CRYSPR_AESCTX *aes_sek = CRYSPR_GETSEK(cryspr_cb, hcryptCtx_GetKeyIndex(ctx)); /* Ctx tells if it's for odd or even key */ if ((ctx->flags & HCRYPT_CTX_F_ENCRYPT) /* Encrypt key */ || (ctx->mode == HCRYPT_CTX_MODE_AESCTR)) { /* CTR mode decrypts using encryption methods */ - if (cryspr_cb->cryspr->aes_set_key(true, key, key_len, aes_sek)) { + if (cryspr_cb->cryspr->aes_set_key(HCRYPT_CTX_MODE_AESCTR, true, key, key_len, aes_sek)) { HCRYPT_LOG(LOG_ERR, "%s", "CRYSPR->set_encrypt_key(sek) failed\n"); return(-1); } } else { /* Decrypt key */ - if (cryspr_cb->cryspr->aes_set_key(false, key, key_len, aes_sek)) { + if (cryspr_cb->cryspr->aes_set_key(HCRYPT_CTX_MODE_AESCTR, false, key, key_len, aes_sek)) { HCRYPT_LOG(LOG_ERR, "%s", "CRYSPR->set_decrypt_key(sek) failed\n"); return(-1); } @@ -380,7 +405,8 @@ static int crysprFallback_MsEncrypt( { #if CRYSPR_HAS_AESCTR /* Get current key (odd|even) from context */ - CRYSPR_AESCTX *aes_key = &cryspr_cb->aes_sek[hcryptCtx_GetKeyIndex(ctx)]; + CRYSPR_AESCTX *aes_key = CRYSPR_GETSEK(cryspr_cb, hcryptCtx_GetKeyIndex(ctx)); /* Ctx tells if it's for odd or even key */ + unsigned char iv[CRYSPR_AESBLKSZ]; /* Get input packet index (in network order) */ @@ -408,7 +434,7 @@ static int crysprFallback_MsEncrypt( &out_msg[pfx_len]); #else /*CRYSPR_HAS_AESCTR*/ /* Get current key (odd|even) from context */ - CRYSPR_AESCTX *aes_key = &cryspr_cb->aes_sek[hcryptCtx_GetKeyIndex(ctx)]; + CRYSPR_AESCTX *aes_key = CRYSPR_GETSEK(cryspr_cb, hcryptCtx_GetKeyIndex(ctx)); unsigned char iv[CRYSPR_AESBLKSZ]; int iret = 0; @@ -535,7 +561,7 @@ static int crysprFallback_MsDecrypt(CRYSPR_cb *cryspr_cb, hcrypt_Ctx *ctx, { #if CRYSPR_HAS_AESCTR /* Get current key (odd|even) from context */ - CRYSPR_AESCTX *aes_key = &cryspr_cb->aes_sek[hcryptCtx_GetKeyIndex(ctx)]; + CRYSPR_AESCTX *aes_key = CRYSPR_GETSEK(cryspr_cb, hcryptCtx_GetKeyIndex(ctx)); unsigned char iv[CRYSPR_AESBLKSZ]; /* Get input packet index (in network order) */ @@ -564,7 +590,7 @@ static int crysprFallback_MsDecrypt(CRYSPR_cb *cryspr_cb, hcrypt_Ctx *ctx, out_len = in_data[0].len; #else /*CRYSPR_HAS_AESCTR*/ /* Get current key (odd|even) from context */ - CRYSPR_AESCTX *aes_key = &cryspr_cb->aes_sek[hcryptCtx_GetKeyIndex(ctx)]; + CRYSPR_AESCTX *aes_key = CRYSPR_GETSEK(cryspr_cb, hcryptCtx_GetKeyIndex(ctx)); unsigned char iv[CRYSPR_AESBLKSZ]; int iret = 0; diff --git a/haicrypt/cryspr.h b/haicrypt/cryspr.h index 45a300fef..d515c3a4b 100644 --- a/haicrypt/cryspr.h +++ b/haicrypt/cryspr.h @@ -39,8 +39,17 @@ extern "C" { #include "cryspr-config.h" typedef struct tag_CRYSPR_cb { +#ifdef CRYSPR2 + CRYSPR_AESCTX *aes_kek; /* Key Encrypting Key (KEK) */ + CRYSPR_AESCTX *aes_sek[2]; /* even/odd Stream Encrypting Key (SEK) */ +#define CRYSPR_GETKEK(cb) ((cb)->aes_kek) +#define CRYSPR_GETSEK(cb,kk) ((cb)->aes_sek[kk]) +#else /*CRYSPR2*/ CRYSPR_AESCTX aes_kek; /* Key Encrypting Key (KEK) */ CRYSPR_AESCTX aes_sek[2]; /* even/odd Stream Encrypting Key (SEK) */ +#define CRYSPR_GETKEK(cb) (&((cb)->aes_kek)) +#define CRYSPR_GETSEK(cb,kk) (&((cb)->aes_sek[kk])) +#endif /*CRYSPR2*/ struct tag_CRYSPR_methods *cryspr; @@ -69,6 +78,7 @@ typedef struct tag_CRYSPR_methods { int rn_len); int (*aes_set_key)( + int cipher_type, /* One of HCRYPT_CTX_MODE_[CLRTXT|AESECB|AESCTR|AESGDM] */ bool bEncrypt, /* true Enxcrypt key, false: decrypt */ const unsigned char *kstr,/* key string*/ size_t kstr_len, /* kstr len in bytes (16, 24, or 32 bytes (for AES128,AES192, or AES256) */ @@ -194,6 +204,9 @@ typedef struct tag_CRYSPR_methods { } CRYSPR_methods; +CRYSPR_cb *crysprHelper_Open(CRYSPR_methods *cryspr, size_t cb_len, size_t max_len); +int crysprHelper_Close(CRYSPR_cb *cryspr_cb); + CRYSPR_methods *crysprInit(CRYSPR_methods *cryspr); #ifdef __cplusplus diff --git a/haicrypt/filelist-openssl-evp.maf b/haicrypt/filelist-openssl-evp.maf new file mode 100644 index 000000000..9548dc796 --- /dev/null +++ b/haicrypt/filelist-openssl-evp.maf @@ -0,0 +1,24 @@ +# HaiCrypt library contents + +PUBLIC HEADERS +haicrypt.h +hcrypt_ctx.h +hcrypt_msg.h + +PRIVATE HEADERS +hcrypt.h +cryspr.h +cryspr-openssl-evp.h +haicrypt_log.h + +SOURCES +cryspr.c +cryspr-openssl-evp.c +hcrypt.c +hcrypt_ctx_rx.c +hcrypt_ctx_tx.c +hcrypt_rx.c +hcrypt_sa.c +hcrypt_tx.c +hcrypt_xpt_srt.c +haicrypt_log.cpp diff --git a/test/test_cryspr.cpp b/test/test_cryspr.cpp index 3a54aaf4f..9ff0623ec 100644 --- a/test/test_cryspr.cpp +++ b/test/test_cryspr.cpp @@ -574,14 +574,11 @@ void test_AESecb( ASSERT_NE(cryspr_m->aes_ecb_cipher, nullPtr); rc1 = cryspr_m->aes_set_key( + HCRYPT_CTX_MODE_AESECB, bEncrypt, tv->sek, /* Stream encrypting Key */ tv->seklen, -#if WITH_FIPSMODE - cryspr_cb->aes_sek[0]); -#else - &cryspr_cb->aes_sek[0]); -#endif + CRYSPR_GETSEK(cryspr_cb, 0)); if(bEncrypt) { intxt=(unsigned char *)tv->cleartxt; outtxt=(unsigned char *)tv->ciphertxt; @@ -592,11 +589,7 @@ void test_AESecb( rc2 = cryspr_m->aes_ecb_cipher( bEncrypt, /* true:encrypt, false:decrypt */ -#if WITH_FIPSMODE - cryspr_cb->aes_sek[0], /* CRYpto Service PRovider AES Key context */ -#else - &cryspr_cb->aes_sek[0], /* CRYpto Service PRovider AES Key context */ -#endif + CRYSPR_GETSEK(cryspr_cb, 0),/* CRYpto Service PRovider AES Key context */ intxt, /* src */ txtlen, /* length */ result, /* dest */ @@ -729,14 +722,11 @@ void test_AESctr( ASSERT_NE(cryspr_m->aes_ctr_cipher, nullPtr); rc1 = cryspr_m->aes_set_key( + HCRYPT_CTX_MODE_AESCTR, true, //For CTR, Encrypt key is used for both encryption and decryption tv->sek, /* Stream encrypting Key */ tv->seklen, -#if WITH_FIPSMODE - cryspr_cb->aes_sek[0]); -#else - &cryspr_cb->aes_sek[0]); -#endif + CRYSPR_GETSEK(cryspr_cb, 0)); if(bEncrypt) { intxt=(unsigned char *)tv->cleartxt; outtxt=(unsigned char *)tv->ciphertxt; @@ -748,11 +738,7 @@ void test_AESctr( memcpy(ivec, tv->iv, sizeof(ivec)); //cipher ivec not const rc2 = cryspr_m->aes_ctr_cipher( bEncrypt, /* true:encrypt, false:decrypt */ -#if WITH_FIPSMODE - cryspr_cb->aes_sek[0], /* CRYpto Service PRovider AES Key context */ -#else - &cryspr_cb->aes_sek[0], /* CRYpto Service PRovider AES Key context */ -#endif + CRYSPR_GETSEK(cryspr_cb, 0),/* CRYpto Service PRovider AES Key context */ ivec, /* iv */ intxt, /* src */ txtlen, /* length */