Merge branch 'master' of https://github.com/gost-engine/engine

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 959968138dce0010dd0c8e35d676165d7d1da71a..52397396efc15264ab91e3f0285df700d428bbea 100644 (file)
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -183,6 +183,9 @@ add_custom_target(tags
     COMMAND ctags -R . ${OPENSSL_ROOT_DIR}
     WORKING_DIRECTORY ${CMAKE_SOURCE_DIR})
 
+add_executable(test_tlstree test_tlstree.c)
+target_link_libraries(test_tlstree PUBLIC ${OPENSSL_CRYPTO_LIBRARY})
+
 # install
 set(OPENSSL_MAN_INSTALL_DIR ${CMAKE_INSTALL_MANDIR}/man1)
 

diff --git a/gost_grasshopper_cipher.c b/gost_grasshopper_cipher.c
index b6d044f3ef0b0d02a6a922b76b7b8436a460e64e..7ae50f587be59ea64f4684ddbeaa3a7a3e77ee1b 100644 (file)
--- a/gost_grasshopper_cipher.c
+++ b/gost_grasshopper_cipher.c
@@ -763,57 +763,55 @@ int gost_grasshopper_cipher_ctl(EVP_CIPHER_CTX *ctx, int type, int arg,
 #ifdef EVP_CTRL_TLS1_2_TLSTREE
     case EVP_CTRL_TLS1_2_TLSTREE:
         {
-            unsigned char newkey[32];
-            int mode = EVP_CIPHER_CTX_mode(ctx);
-            static const unsigned char zeroseq[8];
-            gost_grasshopper_cipher_ctx_ctr *ctr_ctx = NULL;
-            gost_grasshopper_cipher_ctx *c = NULL;
-
-            if (mode != EVP_CIPH_CTR_MODE)
-                return -1;
-
-            ctr_ctx = (gost_grasshopper_cipher_ctx_ctr *)
-                EVP_CIPHER_CTX_get_cipher_data(ctx);
-            c = &(ctr_ctx->c);
-
-            if (gost_tlstree(NID_grasshopper_cbc, c->master_key.k.b, newkey,
-                             (const unsigned char *)ptr) > 0) {
-            /* FIXME may be it should be moved to separate control */
-              unsigned char adjusted_iv[16];
-              unsigned char seq[8];
-              int j;
-              memcpy(seq, ptr, 8);
-              if (EVP_CIPHER_CTX_encrypting(ctx)) {
-              /*
-               * OpenSSL increments seq after mac calculation.
-               * As we have Mac-Then-Encrypt, we need decrement it here on encryption
-               * to derive the key correctly.
-               * */
-                if (memcmp(seq, zeroseq, 8) != 0)
-                {
-                  for(j=7; j>=0; j--)
-                  {
-                    if (seq[j] != 0) {seq[j]--; break;}
-                    else seq[j]  = 0xFF;
-                  }
-                }
-              }
-
-              memset(adjusted_iv, 0, 16);
-              memcpy(adjusted_iv, EVP_CIPHER_CTX_original_iv(ctx), 8);
+          unsigned char newkey[32];
+          int mode = EVP_CIPHER_CTX_mode(ctx);
+          static const unsigned char zeroseq[8];
+          gost_grasshopper_cipher_ctx_ctr *ctr_ctx = NULL;
+          gost_grasshopper_cipher_ctx *c = NULL;
+
+          unsigned char adjusted_iv[16];
+          unsigned char seq[8];
+          int j;
+          if (mode != EVP_CIPH_CTR_MODE)
+            return -1;
+
+          ctr_ctx = (gost_grasshopper_cipher_ctx_ctr *)
+            EVP_CIPHER_CTX_get_cipher_data(ctx);
+          c = &(ctr_ctx->c);
+
+          memcpy(seq, ptr, 8);
+          if (EVP_CIPHER_CTX_encrypting(ctx)) {
+            /*
+             * OpenSSL increments seq after mac calculation.
+             * As we have Mac-Then-Encrypt, we need decrement it here on encryption
+             * to derive the key correctly.
+             * */
+            if (memcmp(seq, zeroseq, 8) != 0)
+            {
               for(j=7; j>=0; j--)
               {
-                int adj_byte, carry = 0;
-                adj_byte = adjusted_iv[j]+seq[j]+carry;
-                carry = (adj_byte > 255) ? 1 : 0;
-                adjusted_iv[j] = adj_byte & 0xFF;
+                if (seq[j] != 0) {seq[j]--; break;}
+                else seq[j]  = 0xFF;
               }
-              EVP_CIPHER_CTX_set_num(ctx, 0);
-              memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), adjusted_iv, 16);
-
-                gost_grasshopper_cipher_key(c, newkey);
-                return 1;
             }
+          }
+          if (gost_tlstree(NID_grasshopper_cbc, c->master_key.k.b, newkey,
+                (const unsigned char *)seq) > 0) {
+            memset(adjusted_iv, 0, 16);
+            memcpy(adjusted_iv, EVP_CIPHER_CTX_original_iv(ctx), 8);
+            for(j=7; j>=0; j--)
+            {
+              int adj_byte, carry = 0;
+              adj_byte = adjusted_iv[j]+seq[j]+carry;
+              carry = (adj_byte > 255) ? 1 : 0;
+              adjusted_iv[j] = adj_byte & 0xFF;
+            }
+            EVP_CIPHER_CTX_set_num(ctx, 0);
+            memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), adjusted_iv, 16);
+
+            gost_grasshopper_cipher_key(c, newkey);
+            return 1;
+          }
         }
         return -1;
 #endif

diff --git a/test_tlstree.c b/test_tlstree.c
new file mode 100644 (file)
index 0000000..08caf90
--- /dev/null
+++ b/test_tlstree.c
@@ -0,0 +1,181 @@
+# include <stdio.h>
+# include <string.h>
+# include <openssl/err.h>
+# include <openssl/evp.h>
+
+static void hexdump(FILE *f, const char *title, const unsigned char *s, int l)
+{
+    int n = 0;
+
+    fprintf(f, "%s", title);
+    for (; n < l; ++n) {
+        if ((n % 16) == 0)
+            fprintf(f, "\n%04x", n);
+        fprintf(f, " %02x", s[n]);
+    }
+    fprintf(f, "\n");
+}
+
+int main(void)
+{
+#ifdef EVP_MD_CTRL_TLSTREE
+       const unsigned char mac_secret[] = {
+0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+       };
+
+       const unsigned char enc_key[] = {
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+       };
+
+       const unsigned char full_iv[] = {
+               0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+               0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+       };
+
+
+       unsigned char seq0[] = {
+               0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+       };
+
+       const unsigned char rec0_header[] = {
+0x17, 0x03, 0x03, 0x00, 0x0F
+       };
+
+       const unsigned char data0[15] = {
+0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+       };
+
+       const unsigned char mac0_etl[16] = {
+0x75, 0x53, 0x09, 0xCB, 0xC7, 0x3B, 0xB9, 0x49, 0xC5, 0x0E, 0xBB, 0x86, 0x16, 0x0A, 0x0F, 0xEE
+       };
+
+       const unsigned char enc0_etl[31] = {
+0xf3, 0x17, 0xa7, 0x1d, 0x3a, 0xce, 0x43, 0x3b, 0x01, 0xd4, 0xe7, 0xd4, 0xef, 0x61, 0xae, 0x00,
+0xd5, 0x3b, 0x41, 0x52, 0x7a, 0x26, 0x1e, 0xdf, 0xc2, 0xba, 0x78, 0x57, 0xc1, 0x93, 0x2d
+       };
+
+       unsigned char data0_processed[31];
+       unsigned char mac0[16];
+
+       unsigned char seq63[] = {
+               0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3F,
+       };
+
+       const unsigned char rec63_header[] = {
+0x17, 0x03, 0x03, 0x10, 0x00
+       };
+
+       unsigned char data63[4096];
+
+       const unsigned char mac63_etl[16] = {
+0x0A, 0x3B, 0xFD, 0x43, 0x0F, 0xCD, 0xD8, 0xD8, 0x5C, 0x96, 0x46, 0x86, 0x81, 0x78, 0x4F, 0x7D
+       };
+
+       const unsigned char enc63_etl_head[32] = {
+0x6A, 0x18, 0x38, 0xB0, 0xA0, 0xD5, 0xA0, 0x4D, 0x1F, 0x29, 0x64, 0x89, 0x6D, 0x08, 0x5F, 0xB7, 
+0xDA, 0x84, 0xD7, 0x76, 0xC3, 0x9F, 0x5C, 0xDC, 0x37, 0x20, 0xB7, 0xB5, 0x59, 0xEF, 0x13, 0x9D
+       };
+       const unsigned char enc63_etl_tail[48] = {
+0x0A, 0x81, 0x29, 0x9B, 0x35, 0x98, 0x19, 0x5D, 0xD4, 0x51, 0x68, 0xA6, 0x38, 0x50, 0xA7, 0x6E, 
+0x1A, 0x4F, 0x1E, 0x6D, 0xD5, 0xEF, 0x72, 0x59, 0x3F, 0xAE, 0x76, 0x55, 0x71, 0xEC, 0x37, 0xE7, 
+0x17, 0xF5, 0xB8, 0x62, 0x85, 0xBB, 0x5B, 0xFD, 0x83, 0xB6, 0x6A, 0xB7, 0x63, 0x86, 0x52, 0x08
+       };
+
+       unsigned char data63_processed[4096+16];
+       unsigned char mac63[16];
+
+       EVP_MD_CTX *mdctx = EVP_MD_CTX_new();
+       EVP_CIPHER_CTX *enc = NULL;
+       const EVP_MD *md;
+       const EVP_CIPHER *ciph;
+       EVP_PKEY *mac_key;
+       size_t mac_len;
+       int i;
+
+       OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
+               
+       memset(data63, 0, 4096);
+
+       md = EVP_get_digestbynid(NID_grasshopper_mac);
+
+       EVP_DigestInit_ex(mdctx, md, NULL);
+  mac_key = EVP_PKEY_new_mac_key(NID_grasshopper_mac, NULL, mac_secret, 32);
+  EVP_DigestSignInit(mdctx, NULL, md, NULL, mac_key);
+  EVP_PKEY_free(mac_key);
+
+       EVP_MD_CTX_ctrl(mdctx, EVP_MD_CTRL_TLSTREE, 0, seq0);
+       EVP_DigestSignUpdate(mdctx, seq0, 8);
+       EVP_DigestSignUpdate(mdctx, rec0_header, 5);
+       EVP_DigestSignUpdate(mdctx, data0, 15);
+       EVP_DigestSignFinal(mdctx, mac0, &mac_len);
+
+       EVP_MD_CTX_free(mdctx);
+       hexdump(stderr, "MAC0 result", mac0, mac_len);
+       if (memcmp(mac0, mac0_etl, 16) != 0) {
+               fprintf(stderr, "MAC0 mismatch");
+               exit(1);
+       }
+
+       ciph = EVP_get_cipherbynid(NID_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm);
+       enc = EVP_CIPHER_CTX_new();
+       EVP_EncryptInit_ex(enc, ciph, NULL, enc_key, full_iv);
+
+       for (i = 7; i >= 0; i--) {
+               ++seq0[i];
+               if (seq0[i] != 0)
+                       break;
+       }
+       EVP_CIPHER_CTX_ctrl(enc, EVP_CTRL_TLS1_2_TLSTREE, 0, seq0);
+       EVP_Cipher(enc, data0_processed, data0, sizeof(data0));
+       EVP_Cipher(enc, data0_processed+sizeof(data0), mac0, 16);
+
+       hexdump(stderr, "ENC0 result", data0_processed, 31);
+       if (memcmp(enc0_etl, data0_processed, 16) != 0) {
+               fprintf(stderr, "ENC0 mismatch");
+               exit(1);
+       }
+
+       mdctx = EVP_MD_CTX_new();
+       EVP_DigestInit_ex(mdctx, md, NULL);
+  mac_key = EVP_PKEY_new_mac_key(NID_grasshopper_mac, NULL, mac_secret, 32);
+  EVP_DigestSignInit(mdctx, NULL, md, NULL, mac_key);
+  EVP_PKEY_free(mac_key);
+
+       EVP_MD_CTX_ctrl(mdctx, EVP_MD_CTRL_TLSTREE, 0, seq63);
+       EVP_DigestSignUpdate(mdctx, seq63, 8);
+       EVP_DigestSignUpdate(mdctx, rec63_header, 5);
+       EVP_DigestSignUpdate(mdctx, data63, 4096);
+       EVP_DigestSignFinal(mdctx, mac63, &mac_len);
+
+       EVP_MD_CTX_free(mdctx);
+       hexdump(stderr, "MAC63 result", mac63, mac_len);
+       if (memcmp(mac63, mac63_etl, 16) != 0) {
+               fprintf(stderr, "MAC63 mismatch");
+               exit(1);
+       }
+
+       for (i = 7; i >= 0; i--) {
+               ++seq63[i];
+               if (seq63[i] != 0)
+                       break;
+       }
+       EVP_CIPHER_CTX_ctrl(enc, EVP_CTRL_TLS1_2_TLSTREE, 0, seq63);
+       EVP_Cipher(enc, data63_processed, data63, sizeof(data63));
+       EVP_Cipher(enc, data63_processed+sizeof(data63), mac63, 16);
+
+       hexdump(stderr, "ENC63 result: head", data63_processed, 32);
+       if (memcmp(enc63_etl_head, data63_processed, sizeof(enc63_etl_head)) != 0) {
+               fprintf(stderr, "ENC63 mismatch: head");
+               exit(1);
+       }
+       hexdump(stderr, "ENC63 result: tail", data63_processed+4096+16-48, 48);
+       if (memcmp(enc63_etl_tail, data63_processed+4096+16-48, sizeof(enc63_etl_tail)) != 0) {
+               fprintf(stderr, "ENC63 mismatch: tail");
+               exit(1);
+       }
+
+#endif
+       return 0;
+}