libh2o-win/picotls/lib/ffx.c

/*
 * Copyright (c) 2016 Christian Huitema <huitema@huitema.net>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
#ifdef _WINDOWS
#include "wincompat.h"
#else
#include <unistd.h>
#endif
#include <errno.h>
#include <stdlib.h>
#include <string.h>
#include "picotls.h"
#include "picotls/minicrypto.h"
#include "picotls/ffx.h"

static void ffx_dispose(ptls_cipher_context_t *_ctx);
static void ffx_encrypt(ptls_cipher_context_t *_ctx, void *output, const void *input, size_t len);
static void ffx_init(struct st_ptls_cipher_context_t *ctx, const void *iv);

int ptls_ffx_setup_crypto(ptls_cipher_context_t *_ctx, ptls_cipher_algorithm_t *algo, int is_enc, int nb_rounds, size_t bit_length,
                          const void *key)
{
    int ret = 0;
    ptls_ffx_context_t *ctx = (ptls_ffx_context_t *)_ctx;
    ptls_cipher_context_t *enc_ctx = NULL;
    size_t len = (bit_length + 7) / 8;
    uint8_t last_byte_mask[8] = {0xFF, 0xFE, 0xFC, 0xF8, 0xF0, 0xE0, 0xC0, 0x80};

    assert(len <= 32 && len >= 2);
    assert(ctx->super.do_dispose == NULL);
    assert(ctx->super.do_init == NULL);
    assert(ctx->super.do_transform == NULL);
    assert(ctx->super.algo == NULL || algo->key_size == ctx->super.algo->key_size);
    assert(ctx->super.algo == NULL || algo->iv_size == ctx->super.algo->iv_size);
    assert(ctx->super.algo == NULL || ctx->super.algo->block_size == len);
    assert(algo->iv_size == 16);

    if (len <= 32 && len >= 2) {
        /* len must be lower than 32 */
        enc_ctx = ptls_cipher_new(algo, 1, key);

        if (enc_ctx == NULL) {
            ret = PTLS_ERROR_LIBRARY;
        }
    } else {
        ret = PTLS_ERROR_LIBRARY;
    }

    if (ret == 0) {
        ctx->enc_ctx = enc_ctx;
        ctx->nb_rounds = nb_rounds;
        ctx->is_enc = is_enc;
        ctx->byte_length = len;
        ctx->nb_left = (int)len / 2;
        ctx->nb_right = (int)len - ctx->nb_left;
        ctx->mask_last_byte = last_byte_mask[bit_length % 8];
        ptls_clear_memory(ctx->tweaks, sizeof(ctx->tweaks));

        ctx->super.do_dispose = ffx_dispose;
        ctx->super.do_init = ffx_init;
        ctx->super.do_transform = ffx_encrypt;
    } else {
        ffx_dispose(_ctx);
    }

    return ret;
}

static void ffx_dispose(ptls_cipher_context_t *_ctx)
{
    ptls_ffx_context_t *ctx = (ptls_ffx_context_t *)_ctx;

    assert(ctx->super.do_dispose == ffx_dispose);

    if (ctx->enc_ctx != NULL) {
        ptls_cipher_free(ctx->enc_ctx);
    }

    ctx->enc_ctx = NULL;
    ctx->nb_rounds = 0;
    ctx->byte_length = 0;
    ctx->nb_left = 0;
    ctx->nb_right = 0;
    ctx->mask_last_byte = 0;
    ctx->is_enc = 0;

    ctx->super.do_dispose = NULL;
    ctx->super.do_init = NULL;
    ctx->super.do_transform = NULL;
}

ptls_cipher_context_t *ptls_ffx_new(ptls_cipher_algorithm_t *algo, int is_enc, int nb_rounds, size_t bit_length, const void *key)
{
    ptls_cipher_context_t *ctx = (ptls_cipher_context_t *)malloc(sizeof(ptls_ffx_context_t));

    if (ctx != NULL) {
        memset(ctx, 0, sizeof(ptls_ffx_context_t));
        if (ptls_ffx_setup_crypto(ctx, algo, is_enc, nb_rounds, bit_length, key) != 0) {
            free(ctx);
            ctx = NULL;
        }
    }

    return ctx;
}

static void ptls_ffx_one_pass(ptls_cipher_context_t *enc_ctx, uint8_t *source, size_t source_size, uint8_t *target,
                              size_t target_size, uint8_t mask_last_byte, uint8_t *confusion, uint8_t *iv, uint8_t *tweaks,
                              uint8_t round, uint8_t nb_rounds)
{
    static const uint8_t zeros[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};

    memcpy(iv, tweaks, 16);
    iv[round & 15] ^= nb_rounds;
    for (size_t i = 0; i < source_size; i++) {
        iv[i] ^= source[i];
    }
    ptls_cipher_init(enc_ctx, iv);
    ptls_cipher_encrypt(enc_ctx, confusion, zeros, 16);
    for (size_t j = 0; j < target_size - 1; j++) {
        target[j] ^= confusion[j];
    }
    target[target_size - 1] ^= (confusion[target_size - 1] & mask_last_byte);
}

static void ffx_encrypt(ptls_cipher_context_t *_ctx, void *output, const void *input, size_t len)
{
    ptls_ffx_context_t *ctx = (ptls_ffx_context_t *)_ctx;
    uint8_t left[16], right[16], confusion[32], iv[16];
    uint8_t last_byte;

    assert(ctx->super.do_transform == ffx_encrypt);

    /* len must match context definition */
    assert(len == ctx->byte_length);
    if (len != ctx->byte_length) {
        memset(output, 0, len); /* so that we do not leak anything in production mode */
        return;
    }

    /* Split the input in two halves */
    memcpy(left, input, ctx->nb_left);
    memcpy(right, ((uint8_t *)input) + ctx->nb_left, ctx->nb_right);
    memset(left + ctx->nb_left, 0, 16 - ctx->nb_left);
    memset(right + ctx->nb_right, 0, 16 - ctx->nb_right);
    last_byte = right[ctx->nb_right - 1];
    right[ctx->nb_right - 1] &= ctx->mask_last_byte;

    if (ctx->is_enc) {
        /* Feistel construct, using the specified algorithm as S-Box */
        for (int i = 0; i < ctx->nb_rounds; i += 2) {
            /* Each pass encrypts a zero field with a cipher using one
             * half of the message as IV. This construct lets us use
             * either AES or chacha 20 */
            ptls_ffx_one_pass(ctx->enc_ctx, right, ctx->nb_right, left, ctx->nb_left, 0xFF, confusion, iv, ctx->tweaks, i,
                              ctx->nb_rounds);
            ptls_ffx_one_pass(ctx->enc_ctx, left, ctx->nb_left, right, ctx->nb_right, ctx->mask_last_byte, confusion, iv,
                              ctx->tweaks, i + 1, ctx->nb_rounds);
        }
    } else {
        /* Feistel construct, using the specified algorithm as S-Box,
         * in the opposite order of the encryption */

        for (int i = 0; i < ctx->nb_rounds; i += 2) {
            /* Each pass encrypts a zero field with a cipher using one
             * half of the message as IV. This construct lets us use
             * either AES or chacha 20 */

            ptls_ffx_one_pass(ctx->enc_ctx, left, ctx->nb_left, right, ctx->nb_right, ctx->mask_last_byte, confusion, iv,
                              ctx->tweaks, ctx->nb_rounds - 1 - i, ctx->nb_rounds);
            ptls_ffx_one_pass(ctx->enc_ctx, right, ctx->nb_right, left, ctx->nb_left, 0xFF, confusion, iv, ctx->tweaks,
                              ctx->nb_rounds - 2 - i, ctx->nb_rounds);
        }
    }
    /* After enough passes, we have a very strong length preserving
     * encryption, only that many times slower than the underlying
     * algorithm. We copy the result to the output */
    memcpy(output, left, ctx->nb_left);

    right[ctx->nb_right - 1] &= ctx->mask_last_byte;
    right[ctx->nb_right - 1] |= (last_byte & ~ctx->mask_last_byte);

    memcpy(((uint8_t *)output) + ctx->nb_left, right, ctx->nb_right);

    ptls_clear_memory(left, sizeof(left));
    ptls_clear_memory(right, sizeof(right));
    ptls_clear_memory(confusion, sizeof(confusion));
}

static void ffx_init(struct st_ptls_cipher_context_t *_ctx, const void *iv)
{
    ptls_ffx_context_t *ctx = (ptls_ffx_context_t *)_ctx;
    assert(ctx->super.do_init == ffx_init);
    memcpy(ctx->tweaks, iv, 16);
}